Red Hat Bugzilla – Bug 178569
Setting correct ACLs for /export/home
Last modified: 2008-01-31 11:54:00 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7
Description of problem:
I copied the lines for setting ACLs pertaining to home directories from
/etc/selinux/targeted/users/local.users then I prefixed each line with
I then did a, fixfiles relabel. I follow this with a ls -Z /export/home and see
ACLs of, system_u:object_r:default_t, not user_home_dir_t.
Comments in the file_contexts.homedirs say to modify the local.users file for site specific changes.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Edit local.users file.
3.ls -Z /export/home
You should copy them to /etc/selinux/targeted/contexts/files/file_contexts.local
Do you have user homedirs in /export/home? Or are you just storing additional
user files there.
Using the file file_contexts.local fixed the labeling issue. Yes, /export/home
is the physical location of the auto home user directory storage a very common
set up for automounting home directories.
Are there any entries in the passwd file or in you passwd databases that point
homedirs to /export/home?
Ie would you have an entry for user dwalsh with /export/home/dwalsh as his
If yes genhomedircon should have picked this up and added the appropriate file
There are no ohter directories or file in /export/home besides home directories.
The password file has all home directories as /home/<user>.
Added this fix to policycoreutils in rawhide for FC5. I don't think it is
needed for FC4.
I just did a touch /.autorelabel and reboot. The home directories were miss
labeled. The policies are not working when the home directories are auto mounted
and the real file location is /export/home. So I had to re-label, restorecon -rv
/home/user, to fix the labeling again.
[dhighley@douglas ~]$ rpm -qa | grep selinux
The problem is that we have no way of knowing the homedirs are in /export/home
and no way to label them correctly. In a strict policy machine I might have
dwalsh with a homedir labeled staff_home_t and you might have one labeled
user_home_t. If the passwd file says our home dirs are in /home/dwalsh and
/home/dhighley, It will set up the labeling for those directories not
/export/home/dwalsh and /export/home/dhighley.
Not sure of a good solution.
I understand the complexity of determining automount home directory storage
locations, but if selinux is predicated on correct labeling and we have no way
to insure that the labeling is correct then we have a real issue in its
viability. By the way we have more than an academic interest in this.
With an NIS or files implementation I can invision how to dump all the users
from the passwd file and recursively attempt to recursively label through the
automount point. It would fail if the storage was not local to the host where
the labeling is running but that would be OK.
If it is an LDAP implement, which we have not migrated to yet, you would need to
query out all the users and their home directory locations before you could
attempt to recursively label each location.
This could definitely add time and complexity to the process of file system
labeling but if it is not done correctly then we have a bigger issue.
After upgrading to Fedora 8 and the policy changes I'm not sure this report
should remain open.