Bug 178569 - Setting correct ACLs for /export/home
Setting correct ACLs for /export/home
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
: Reopened
Depends On:
Blocks: 222778
  Show dependency treegraph
Reported: 2006-01-21 14:57 EST by David Highley
Modified: 2008-01-31 11:54 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-31 11:54:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David Highley 2006-01-21 14:57:39 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7

Description of problem:
I copied the lines for setting ACLs pertaining to home directories from
/etc/selinux/targeted/contexts/files/file_contexts.homedirs to
/etc/selinux/targeted/users/local.users then I prefixed each line with

I then did a, fixfiles relabel. I follow this with a ls -Z /export/home and see
ACLs of, system_u:object_r:default_t, not user_home_dir_t.

Comments in the file_contexts.homedirs say to modify the local.users file for site specific changes.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Edit local.users file.
2.fixfiles relabel
3.ls -Z /export/home

Additional info:
Comment 1 Daniel Walsh 2006-01-23 09:07:52 EST
You should copy them to /etc/selinux/targeted/contexts/files/file_contexts.local

Do you have user homedirs in /export/home?  Or are you just storing additional
user files there.

Comment 2 David Highley 2006-01-23 10:40:59 EST
Using the file file_contexts.local fixed the labeling issue. Yes, /export/home
is the physical location of the auto home user directory storage a very common
set up for automounting home directories.
Comment 3 Daniel Walsh 2006-01-23 10:54:59 EST
Are there any entries in the passwd file or in you passwd databases that point
homedirs to /export/home?

Ie would you have an entry for user dwalsh with /export/home/dwalsh as his

If yes genhomedircon should have picked this up and added the appropriate file

Comment 4 David Highley 2006-01-23 23:24:54 EST
There are no ohter directories or file in /export/home besides home directories.
The password file has all home directories as /home/<user>.
Comment 5 Daniel Walsh 2006-02-14 15:45:29 EST
Added this fix to policycoreutils in rawhide for FC5.  I don't think it is
needed for FC4.
Comment 6 David Highley 2007-03-05 14:41:55 EST
I just did a touch /.autorelabel and reboot. The home directories were miss
labeled. The policies are not working when the home directories are auto mounted
and the real file location is /export/home. So I had to re-label, restorecon -rv
/home/user, to fix the labeling again.

[dhighley@douglas ~]$ rpm -qa | grep selinux
Comment 7 Daniel Walsh 2007-03-06 12:53:58 EST
matchpatchcon /export/home/*

The problem is that we have no way of knowing the homedirs are in /export/home
and no way to label them correctly.  In a strict policy machine I might have
dwalsh with a homedir labeled staff_home_t and you might have one labeled
user_home_t.  If the passwd file says our home dirs are in /home/dwalsh and
/home/dhighley, It will set up the labeling for those directories not
/export/home/dwalsh and /export/home/dhighley.

Not sure of a good solution.
Comment 8 David Highley 2007-03-07 10:16:48 EST
I understand the complexity of determining automount home directory storage
locations, but if selinux is predicated on correct labeling and we have no way
to insure that the labeling is correct then we have a real issue in its
viability. By the way we have more than an academic interest in this.

With an NIS or files implementation I can invision how to dump all the users
from the passwd file and recursively attempt to recursively label through the
automount point. It would fail if the storage was not local to the host where
the labeling is running but that would be OK.

If it is an LDAP implement, which we have not migrated to yet, you would need to
query out all the users and their home directory locations before you could
attempt to recursively label each location.

This could definitely add time and complexity to the process of file system
labeling but if it is not done correctly then we have a bigger issue.
Comment 9 David Highley 2008-01-30 10:34:38 EST
After upgrading to Fedora 8 and the policy changes I'm not sure this report
should remain open.

Note You need to log in before you can comment on or make changes to this bug.