From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7 Description of problem: I copied the lines for setting ACLs pertaining to home directories from /etc/selinux/targeted/contexts/files/file_contexts.homedirs to /etc/selinux/targeted/users/local.users then I prefixed each line with /export/home I then did a, fixfiles relabel. I follow this with a ls -Z /export/home and see ACLs of, system_u:object_r:default_t, not user_home_dir_t. Comments in the file_contexts.homedirs say to modify the local.users file for site specific changes. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.27.1-2.16 How reproducible: Always Steps to Reproduce: 1.Edit local.users file. 2.fixfiles relabel 3.ls -Z /export/home Additional info:
You should copy them to /etc/selinux/targeted/contexts/files/file_contexts.local Do you have user homedirs in /export/home? Or are you just storing additional user files there. Dan
Using the file file_contexts.local fixed the labeling issue. Yes, /export/home is the physical location of the auto home user directory storage a very common set up for automounting home directories.
Are there any entries in the passwd file or in you passwd databases that point homedirs to /export/home? Ie would you have an entry for user dwalsh with /export/home/dwalsh as his homedir? If yes genhomedircon should have picked this up and added the appropriate file context. Dan
There are no ohter directories or file in /export/home besides home directories. The password file has all home directories as /home/<user>.
Added this fix to policycoreutils in rawhide for FC5. I don't think it is needed for FC4.
I just did a touch /.autorelabel and reboot. The home directories were miss labeled. The policies are not working when the home directories are auto mounted and the real file location is /export/home. So I had to re-label, restorecon -rv /home/user, to fix the labeling again. [dhighley@douglas ~]$ rpm -qa | grep selinux libselinux-python-1.33.4-2.fc6 libselinux-1.33.4-2.fc6 libselinux-1.33.4-2.fc6 libselinux-devel-1.33.4-2.fc6 libselinux-devel-1.33.4-2.fc6 selinux-policy-2.4.6-41.fc6 selinux-policy-targeted-2.4.6-41.fc6
matchpatchcon /export/home/* The problem is that we have no way of knowing the homedirs are in /export/home and no way to label them correctly. In a strict policy machine I might have dwalsh with a homedir labeled staff_home_t and you might have one labeled user_home_t. If the passwd file says our home dirs are in /home/dwalsh and /home/dhighley, It will set up the labeling for those directories not /export/home/dwalsh and /export/home/dhighley. Not sure of a good solution.
I understand the complexity of determining automount home directory storage locations, but if selinux is predicated on correct labeling and we have no way to insure that the labeling is correct then we have a real issue in its viability. By the way we have more than an academic interest in this. With an NIS or files implementation I can invision how to dump all the users from the passwd file and recursively attempt to recursively label through the automount point. It would fail if the storage was not local to the host where the labeling is running but that would be OK. If it is an LDAP implement, which we have not migrated to yet, you would need to query out all the users and their home directory locations before you could attempt to recursively label each location. This could definitely add time and complexity to the process of file system labeling but if it is not done correctly then we have a bigger issue.
After upgrading to Fedora 8 and the policy changes I'm not sure this report should remain open.