With RHEL 6, restorecond requires a "-u" option to manage files in user home directories. The init script doesn't support setting this option, and it appears that the option is only intended to work when run from a desktop login session manager, not a network login (such as ssh).
How are directories (such as public_html and .ssh) supposed to get the proper labels on a server now?
You can add
And run the restorecond as a service and it will watch for those files/directories as they are created.
Or the admin/user can run restorecon them selves.
I have thought about running restorecond as a user session via bashrc, but I have the problem of cleaning up the process when the user logs out.
Imagine a user logging into the same machine twice, and logging out.
Ahh, I didn't realize it still supported ~/foo in the main conf (I thought -u was in place of that).
However, it doesn't seem to be working for me. Running "restorecond -d" under strace, when I create ~/public_html, I see restorecond get the inotify message. It lstat()s it, lgetxattr()s it (which shows user_home_t), and then goes back to waiting for inotify messages. It doesn't change the context of public_html. I added the following to /etc/selinux/restorecond.conf:
I understand how much "fun" it can be to run things for shell users (with no actual session manager). Maybe a PAM session module that signaled the system daemon (which would then work for SSH, FTP, telnet, getty logins, etc.) could work.
I think I have this fixed in Rawhide. After I check it out for a couple of weeks I will back port it to RHEL6.
This issue was proposed for RHEL 6.1 FasTrack but did not get resolved in time.
It has been moved to RHEL 6.2 FasTrack.
Fixed in policycoreutils-2.0.83-33.3.el6
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.