Bug 159315 - If user's home dirs are in /var/home fixfiles will label them var_t
If user's home dirs are in /var/home fixfiles will label them var_t
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
All Linux
medium Severity low
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-01 12:52 EDT by Tomasz Ostrowski
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-27 16:05:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomasz Ostrowski 2005-06-01 12:52:35 EDT
Description of problem:
I'm using 2 partitions in my systems: / and /var. I don't want to have user's
home dirs on / partition so I set default home directory parent to /var/home

Because ordinary user home directories definitions
    HOME_ROOT               -d      system_u:object_r:home_root_t
    HOME_DIR                -d      system_u:object_r:ROLE_home_dir_t
    HOME_DIR/.+                     system_u:object_r:ROLE_home_t
are in top part of types.fc so they are overwritten by following entry:
    /var(/.*)?                      system_u:object_r:var_t
and fixfiles sets them to var_t context.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-sources-1.17.30-2.96

How reproducible:
Always

Steps to Reproduce:
1. mkdir /var/home
2. useradd -D -b /var/home
3. useradd -c "Test User" test
4. fixfiles check /var/home/test

Actual results:
/sbin/restorecon reset context
/var/home/test:root:object_r:user_home_dir_t->system_u:object_r:var_t
/sbin/restorecon reset context
/var/home/test/.bash_logout:root:object_r:user_home_t->system_u:object_r:var_t
/sbin/restorecon reset context
/var/home/test/.bashrc:root:object_r:user_home_t->system_u:object_r:var_t
/sbin/restorecon reset context
/var/home/test/.bash_profile:root:object_r:user_home_t->system_u:object_r:var_t

Expected results:
no output from fixfiles

Additional info:
I'd suggest moving ordinary user home directories definitions to the bottom of
types.fc

This will also be problem with strict policy, I think.
Comment 1 Daniel Walsh 2005-06-08 09:13:12 EDT
What does genhomedircon produce?

This is fixed in FC4, BTW.  But not sure what the outcome would be in FC3.

Does /var/home exist in /etc/selinux/targeted/contexts/files/file_contexts?
Comment 2 Tomasz Ostrowski 2005-06-08 09:50:43 EDT
genhomedircon does not produce any output and returns succesfully with
/var/home/test set to root:object_r:var_t or root:object_r:user_home_dir_t

root@korweta:~# grep home /etc/selinux/targeted/contexts/files/file_contexts
# Ordinary user home directories.
# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd
# HOME_DIR expands to each user's home directory,
/var/home               -d      system_u:object_r:home_root_t
/var/home/[^/]+         -d      system_u:object_r:user_home_dir_t
/var/home/[^/]+/.+                      system_u:object_r:user_home_t
/var/home/\.journal             <<none>>
/var/home/lost\+found(/.*)?     system_u:object_r:lost_found_t
/var/home/[^/]+/((www)|(web)|(public_html))(/.+)?
system_u:object_r:httpd_user_content_t
/root           -d      root:object_r:user_home_dir_t
/root/.+                        root:object_r:user_home_t
Comment 3 Daniel Walsh 2005-06-08 10:35:22 EDT
Ok, could you try

1. mkdir /var/home
2. useradd -D -b /var/home
3. genhomedircon
4. restorecon -R -v /var/home
5. useradd -c "Test User" test
Comment 4 Tomasz Ostrowski 2005-06-08 11:44:40 EDT
1. mkdir /var/home
#ls -ldZ /var/home
drwxr-xr-x  root     root     system_u:object_r:var_t          /var/home/

2. useradd -D -b /var/home
useradd -D
GROUP=100
HOME=/var/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel

3. genhomedircon
#ls -ldZ /var/home
drwxr-xr-x  root     root     system_u:object_r:var_t          /var/home/

4. restorecon -R -v /var/home
restorecon reset context
/var/home:system_u:object_r:var_t->system_u:object_r:home_root_t
#ls -ldZ /var/home
drwxr-xr-x  root     root     system_u:object_r:home_root_t    /var/home/

5. useradd -c "Test User" test
#ls -ldZ /var/home/test
drwx------  test     test     root:object_r:user_home_dir_t    /var/home/test/
#fixfiles check /var/home
/sbin/restorecon reset context
/var/home/test:root:object_r:user_home_dir_t->system_u:object_r:var_t
/sbin/restorecon reset context
/var/home/test/.bash_logout:root:object_r:user_home_t->system_u:object_r:var_t
/sbin/restorecon reset context
/var/home/test/.bashrc:root:object_r:user_home_t->system_u:object_r:var_t
/sbin/restorecon reset context
/var/home/test/.bash_profile:root:object_r:user_home_t->system_u:object_r:var_t
#restorecon -R -v /var/home
restorecon reset context
/var/home/test:root:object_r:user_home_dir_t->system_u:object_r:var_t
restorecon reset context
/var/home/test/.bash_logout:root:object_r:user_home_t->system_u:object_r:var_t
restorecon reset context
/var/home/test/.bashrc:root:object_r:user_home_t->system_u:object_r:var_t
restorecon reset context
/var/home/test/.bash_profile:root:object_r:user_home_t->system_u:object_r:var_t
#ls -ldZ /var/home/test
drwx------  test     test     system_u:object_r:var_t          /var/home/test/

Not good
Comment 5 Daniel Walsh 2005-09-27 16:05:26 EDT
Fixed in FC4.  We redesigned the way homedirs are handled.

Note You need to log in before you can comment on or make changes to this bug.