Hide Forgot
Description of problem: When a user logs in for the first time with winbind, by default the user's home directory is created as /home/MYDOMAIN.COM/myusername. restorecon will set /home/MYDOMAIN.COM to user_home_dir_t, but will set /home/MYDOMAIN.COM/myusername to user_home_t. The subsequently causes a problem when gdm-session-worker tries to create or write to ~/.xsession-errors and is not permitted to do so. Version-Release number of selected component (if applicable): 3.10.0-75.fc16 How reproducible: Set up winbind authentication, and log in with an account on the domain, then run restorecon on the directories in question, or recursively on the entire /home tree. Then check the security context for each of the directories in question. Steps to Reproduce: 1. As root, run system-config-authentication and set up winbind auth. 2. Log in as a domain user. Home directory should be /home/MYDOMAIN.COM/myusername/. 3. As root, run restorecon /home/MYDOMAIN.COM && restorecon /home/MYDOMAIN.COM/myusername. 4. Run ls -laZ /home/MYDOMAIN.COM to inspect security context. Actual results: /home/MYDOMAIN.COM is set to user_home_dir_t. /home/MYDOMAIN.COM/myusername is set to user_home_t. Expected results: I am not sure what context /home/MYDOMAIN.COM should have. /home/MYDOMAIN.COM/myusername should be set to user_home_dir_t. Additional info:
# semanage fcontext -a -e /home /home/MYDOMAIN.COM # restorecon -R -v /home/MYDOMAIN.COM Would fix the problem for each MYDOMAIN.COM name.
Simo is there a place were would could put this in a configuration file? Or a man page?
maybe in the winbind man page for samba specific uses. I guess also pam_oddjob_mkhomedir man page perhaps ?
Is there any easy way for us to know this? Any config tool that is run that could set it up?
You mean a tool that could run the commands in comment #1 ? I guess we could do that in pam_winbind an pam_oddjob_mkhomedir ?
Well I don't want to give the power to all login programs to modify SELinux policy, I was thinking more an admin program like authconfig or system-config-samba.
(In reply to comment #6) > Well I don't want to give the power to all login programs to modify SELinux > policy, I was thinking more an admin program like authconfig or > system-config-samba. The problem is that when you have trusted domains that are detected on the fly you have no way to know in advance what a subpath name will be. Only the login program can see that the homedir is located in an 'arbitrary' subdirectory. I think there is a general problem here that goes beyond winbind indeed. This affects any setup, where people decide to use subdirectories to better partition where their users home directories are placed. For example with FreeIPA or any LDAP server the homedirectory is an arbitrary path. If oddjob is the only sanctioned tool I think it would be better to make it set the policy and have pam_winbindd changed to use it. If you think this is the best direction we can reassign this bug to samba and work on a solution to make pam_winbind use oddjob instead.
I do kind of like the idea of oddjob doing this, Since that is a privledged app in charge of setting up homedirs. If we could get oddjob to check if the the label of the newly created homedir is user_home_dir_t, then it should execute a command equivalent to semanage fcontext -a -e /home PARENTDIR Which is really just adding a line to /etc/selinux/targeted/contexts/files/file_context.subs # cat /etc/selinux/targeted/contexts/files/file_contexts.subs /home/devel /home
Then I would only need to give oddjob the ability to manage file_context file. or better yet we add a label to file_contexts.subs
This message is a reminder that Fedora 16 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 16. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '16'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 16's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 16 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.