Description of problem: If users have their home-directory located somewhere in /usr/local, then, during the update process of package "selinux-policy-targeted", a new section (besides the existing ones for /home and /root) is added for /usr/local to the selinux policy files "/etc/selinux/targeted/modules/active/file_contexts.homedirs" and "/etc/selinux/targeted/contexts/files/file_contexts.homedirs". The new section is basically the same as for home-directories in /home and /root, but now with all entries starting with /usr/local. Unfortunately, some of these entries conflict with the (already existing) global entries in "/etc/selinux/targeted/contexts/files/file_contexts". Version-Release number of selected component (if applicable): selinux-policy-targeted-3.0.8-72.fc8 The error exists for about the last 3-4 updates of "selinux-policy-targeted". The problem isn't new. It occured in most Fedora versions, but usually went away after next update of "selinux-policy-targeted". However, this time it didn't go away after a couple of updates. How reproducible: update from previous to current version of "selinux-policy-targeted", for example, with "yum update" Steps to Reproduce: 1. "yum update" or "rpm -Uvh selinux-policy-targeted-3.0.8-69.fc8.noarch.rpm" Actual results: # yum update [...] ---> Package selinux-policy.noarch 0:3.0.8-72.fc8 set to be updated ---> Package selinux-policy-targeted.noarch 0:3.0.8-72.fc8 set to be updated ---> Package selinux-policy-devel.noarch 0:3.0.8-72.fc8 set to be updated [...] Updating : selinux-policy ####################### [ 2/24] Updating : selinux-policy-targeted ####################### [ 3/24] /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/local/lost\+found/.*. /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/local/\.journal. /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/local/lost\+found. Updating : selinux-policy-devel ####################### [ 4/24] [...] The error messages also occur for other selinux related tools that deal with the policy files. Don't know if this has any security implications, but to me, it just looks like a harmless (but annoying) error message. The following files contain new entries for /usr/local which conflict with global settings (file_contexts, see above): /etc/selinux/targeted/modules/active/file_contexts.homedirs /etc/selinux/targeted/contexts/files/file_contexts.homedirs Removing all lines beginning with /usr/local (or at least the ones with "lost+found" and ".journal") helps. Expected results: no error messages (Multiple same specifications) during update, and valid policy files (file_contexts.homedirs) afterwards Additional info: see attached policy files (the section with /usr/local entries is new and conflicts with global policy)
Created attachment 290512 [details] /etc/selinux/targeted/contexts/files/file_contexts.homedirs
Created attachment 290513 [details] /etc/selinux/targeted/modules/active/file_contexts.homedirs
SELinux can not handle user homedirectories in /usr/local. SELinux wants to label the parent directory of the user homedir as home_root_t and then the homedir as user_home_dir_t. If you put the home directories in a location with a default label that SELinux wants to be different the home_root_t, you will generate this conflict. If these accounts are actually user homedirectories then SELinux would work if you move them to a subdirectory /usr/local/home for example. If these directories are not really user home directories but a service directories, then you need to fix the password entry to not use a real shell. /sbin/nologin or /bin/false
Okay, now I understand. Thanks for the explanation. Helps a lot! My accounts in /usr/local are all service accounts for additional software I installed into /usr/local. Most of them have /sbin/nologin, but a few require a real shell. How does SELinux checks for the shell? Is there a positive list containing all known shells (sh, bash etc.) or a negative list containing non-shells (/sbin/nologin)? Or does it scan /etc/selinux/targeted/contexts/files/file_contexts for entries of type "shell_exec_t"?
/etc/shells Contains all valid shells. /sbin/nologin and /bin/false are hard coded negatives and UID < 500 are ignored.