Description of problem: We automount home directories from our CentOS 5.1 server onto our workstations. New files created in the home directories get the context user_home_dir_t instead of user_home_t. Is there any way around this? Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-115.el5
Could you look at http://people.redhat.com/dwalsh/SELinux/RHEL5 This is the U2 policy and I believe this is fixed. selinux-policy-2.4.6-114.el5
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
I'm still seeing this with selinux-policy-2.4.6-115.el5.
Do you have the nfs_export_all_rw boolean turned on, or are you in permissive mode?
[root@earth ~]# getsebool -a | grep nfs allow_ftpd_use_nfs --> off allow_nfsd_anon_write --> off nfs_export_all_ro --> on nfs_export_all_rw --> on nfsd_disable_trans --> off samba_share_nfs --> on use_nfs_home_dirs --> off [root@earth ~]# cat /selinux/enforce 1[root@earth ~]#
Orion can you try out policy 119 on http://people.redhat.com/dwalsh/SELinux/RHEL5
Installed and restarted nfs but it doesn't seem to have had an effect.
Ok, my policy is broken. I had added. userdom_generic_user_home_dir_filetrans_generic_user_home_content(nfsd_t, { file dir }) But I believe the kernel is actually creating this file. So I am not sure whether this would work userdom_generic_user_home_dir_filetrans_generic_user_home_content(kernel_t, { file dir }) Steve, can I do this?
Yes, that should work. The nfsd-initiated kernel thread runs as kernel_t. Some day it may assume the client's context as its acting context if/when NFSv4 support is complete.
Orion, Try selinux-policy-2.4.6-120.el5 out on people.
Huzzah! That works. Thanks Dan.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0465.html