851871 – Problem Labelling Home Directory Files

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 851871 - Problem Labelling Home Directory Files

Summary: Problem Labelling Home Directory Files

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-08-26 19:24 UTC by Tom Parris
Modified:	2012-08-27 13:22 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-08-27 11:16:12 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Tom Parris 2012-08-26 19:24:37 UTC

Description of problem:
I am not sure if this is a bug, or user error.  I am restoring a set of user accounts from a crashed RHEL4 system to a rebuilt RHEL6.3 system and am having trouble properly labelling user accounts for use with selinux (selinux was not enabled on the old system).  

I have been able to use restorecon to properly label /home with home_root_t

# ls -lZd /home
drwxr-xr-x. root root system_u:object_r:home_root_t:s0 /home

But I cannot relabel the user home directories with user_home_dir_t, or the files in the home directories with user_home_t.  Apparently, these types are not defined, or selinux is blocking my relabelling attempt (even as root).

# ls -lZd /home/funky
drwx------. funky funky system_u:object_r:samba_share_t:s0 /home/funky
# chcon -h system_u:object_r:user_home_dir_t:samba_share_t /home/funky
chcon: failed to change context of `/home/funky' to `system_u:object_r:user_home_dir_t:samba_share_t': Invalid argument


Version-Release number of selected component (if applicable):
RHEL6.3

How reproducible:
Every time.

Steps to Reproduce:
1. Issue the following commands

# ls -lZd /home/funky
drwx------. funky funky system_u:object_r:samba_share_t:s0 /home/funky
# chcon -h system_u:object_r:user_home_dir_t:samba_share_t /home/funky
chcon: failed to change context of `/home/funky' to `system_u:object_r:user_home_dir_t:samba_share_t': Invalid argument

2. Look at errors in /var/log/audit/audit.log

type=AVC msg=audit(1346006733.566:36828): avc:  denied  { mac_admin } for  pid=3351 comm="chcon" capability=33  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2


3. I've narrowed the chcon command down to 

# chcon -h user_home_dir_t /home/funky

which does not return an error, but does not change the labelling either.

this produces another audit log error

type=AVC msg=audit(1346008341.461:37065): avc:  denied  { mac_admin } for  pid=4262 comm="chcon" capability=33  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2
type=SYSCALL msg=audit(1346008341.461:37065): arch=40000003 syscall=227 success=no exit=-22 a0=8d03940 a1=6415e5 a2=8d04c00 a3=2c items=0 ppid=3661 pid=4262 auid=5555 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=16 comm="chcon" exe="/usr/bin/chcon" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

  
Actual results:
 see above

Expected results:
 see above

Additional info:

I have added one custom rule to the selinux policies that sets all files in the /home directory to be shareable via samba (which works).

/home(/.*)?  samba_share_t:s0 all files

I wold bemost grateful for help on this.  I've tried restorecon on these directoires without success.

Comment 2 Tom Parris 2012-08-26 21:16:05 UTC

The policies seem to exist.


# find /etc/selinux/ -type f -exec grep -l user_home_dir_t {} \;
/etc/selinux/targeted/modules/active/policy.kern
/etc/selinux/targeted/modules/active/file_contexts.template
/etc/selinux/targeted/modules/active/file_contexts.homedirs
/etc/selinux/targeted/modules/active/homedir_template
/etc/selinux/targeted/policy/policy.24
/etc/selinux/targeted/contexts/files/file_contexts.homedirs


# find /etc/selinux/ -type f -exec grep -l user_home_t {} \;
/etc/selinux/targeted/modules/active/policy.kern
/etc/selinux/targeted/modules/active/file_contexts.template
/etc/selinux/targeted/modules/active/file_contexts.homedirs
/etc/selinux/targeted/modules/active/homedir_template
/etc/selinux/targeted/policy/policy.24
/etc/selinux/targeted/contexts/files/file_contexts.homedirs


But for some reason chcon/restorecon can't seem to find them.

The following three lines are in /etc/selinux/targeted/modules/active/file_contexts.homedirs

/home/[^/]*/.+  unconfined_u:object_r:user_home_t:s0
/home/[^/]*     -d      unconfined_u:object_r:user_home_dir_t:s0
/home/[^/]*     -l      unconfined_u:object_r:user_home_dir_t:s0

Comment 3 Tom Parris 2012-08-26 21:23:01 UTC

I also tried to create an account using /usr/bin/system-config-users

It also lacks the labeling for user_home_dir_t and user_home_t.

-- Tom

Comment 4 Miroslav Grepl 2012-08-27 11:16:12 UTC

# chcon -h system_u:object_r:user_home_dir_t:samba_share_t /home/funky
chcon: failed to change context of `/home/funky' to `system_u:object_r:user_home_dir_t:samba_share_t': Invalid argument

This is not correct label.

# chcon -t user_home_dir_t /home/funky


The problem is you added your custom labeling. You could remove this labeling and turn on the use_samba_home_dirs boolean.

# setsebool -P use_samba_home_dirs 1

You can read more details using

# man samba_selinux


Please reopen if I did not help you.

Comment 5 Tom Parris 2012-08-27 13:22:27 UTC

Thank you.  That did the trick.  Apparently, I was reading an outdated edition of man samba_selinux.

Note You need to log in before you can comment on or make changes to this bug.