Bug 178569 - Setting correct ACLs for /export/home
Summary: Setting correct ACLs for /export/home
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 6
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 222778
TreeView+ depends on / blocked
 
Reported: 2006-01-21 19:57 UTC by David Highley
Modified: 2008-01-31 16:54 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-31 16:54:00 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description David Highley 2006-01-21 19:57:39 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7

Description of problem:
I copied the lines for setting ACLs pertaining to home directories from
/etc/selinux/targeted/contexts/files/file_contexts.homedirs to
/etc/selinux/targeted/users/local.users then I prefixed each line with
/export/home

I then did a, fixfiles relabel. I follow this with a ls -Z /export/home and see
ACLs of, system_u:object_r:default_t, not user_home_dir_t.

Comments in the file_contexts.homedirs say to modify the local.users file for site specific changes.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.27.1-2.16

How reproducible:
Always

Steps to Reproduce:
1.Edit local.users file.
2.fixfiles relabel
3.ls -Z /export/home
  

Additional info:

Comment 1 Daniel Walsh 2006-01-23 14:07:52 UTC
You should copy them to /etc/selinux/targeted/contexts/files/file_contexts.local

Do you have user homedirs in /export/home?  Or are you just storing additional
user files there.

Dan

Comment 2 David Highley 2006-01-23 15:40:59 UTC
Using the file file_contexts.local fixed the labeling issue. Yes, /export/home
is the physical location of the auto home user directory storage a very common
set up for automounting home directories.

Comment 3 Daniel Walsh 2006-01-23 15:54:59 UTC
Are there any entries in the passwd file or in you passwd databases that point
homedirs to /export/home?

Ie would you have an entry for user dwalsh with /export/home/dwalsh as his
homedir?  

If yes genhomedircon should have picked this up and added the appropriate file
context.

Dan

Comment 4 David Highley 2006-01-24 04:24:54 UTC
There are no ohter directories or file in /export/home besides home directories.
The password file has all home directories as /home/<user>.

Comment 5 Daniel Walsh 2006-02-14 20:45:29 UTC
Added this fix to policycoreutils in rawhide for FC5.  I don't think it is
needed for FC4.

Comment 6 David Highley 2007-03-05 19:41:55 UTC
I just did a touch /.autorelabel and reboot. The home directories were miss
labeled. The policies are not working when the home directories are auto mounted
and the real file location is /export/home. So I had to re-label, restorecon -rv
/home/user, to fix the labeling again.

[dhighley@douglas ~]$ rpm -qa | grep selinux
libselinux-python-1.33.4-2.fc6
libselinux-1.33.4-2.fc6
libselinux-1.33.4-2.fc6
libselinux-devel-1.33.4-2.fc6
libselinux-devel-1.33.4-2.fc6
selinux-policy-2.4.6-41.fc6
selinux-policy-targeted-2.4.6-41.fc6

Comment 7 Daniel Walsh 2007-03-06 17:53:58 UTC
matchpatchcon /export/home/*

The problem is that we have no way of knowing the homedirs are in /export/home
and no way to label them correctly.  In a strict policy machine I might have
dwalsh with a homedir labeled staff_home_t and you might have one labeled
user_home_t.  If the passwd file says our home dirs are in /home/dwalsh and
/home/dhighley, It will set up the labeling for those directories not
/export/home/dwalsh and /export/home/dhighley.

Not sure of a good solution.

Comment 8 David Highley 2007-03-07 15:16:48 UTC
I understand the complexity of determining automount home directory storage
locations, but if selinux is predicated on correct labeling and we have no way
to insure that the labeling is correct then we have a real issue in its
viability. By the way we have more than an academic interest in this.

With an NIS or files implementation I can invision how to dump all the users
from the passwd file and recursively attempt to recursively label through the
automount point. It would fail if the storage was not local to the host where
the labeling is running but that would be OK.

If it is an LDAP implement, which we have not migrated to yet, you would need to
query out all the users and their home directory locations before you could
attempt to recursively label each location.

This could definitely add time and complexity to the process of file system
labeling but if it is not done correctly then we have a bigger issue.

Comment 9 David Highley 2008-01-30 15:34:38 UTC
After upgrading to Fedora 8 and the policy changes I'm not sure this report
should remain open.


Note You need to log in before you can comment on or make changes to this bug.