<br><br><div class="gmail_quote">On Wed, Jan 12, 2011 at 7:07 PM, Daniel J Walsh <span dir="ltr"><<a href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
</div><div><div></div><div class="h5">On 01/12/2011 04:03 PM, Paul Howarth wrote:<br>
> On Wed, 12 Jan 2011 13:02:21 -0500<br>
> Daniel J Walsh <<a href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a>> wrote:<br>
>> On 01/12/2011 06:29 AM, Paulo Cavalcanti wrote:<br>
>>> Hi,<br>
>>><br>
>>> I have two HDs on my computer: one with rhel5 5.5 and the other with<br>
>>> fedora 14.<br>
>>> Both systems share some directories located in a common /home,<br>
>>> mainly used by the httpd process.<br>
>>><br>
>>> The problem is that selinux in fedora 14 uses "unrestricted_u" by<br>
>>> default for all users, which rel5 does not understand,<br>
>>> and any file labeled that way is treated as "unlabeled_t" in rhel5.<br>
>>><br>
>>> I tried to relabel all files in Fedora 14 using "chcon -R -u user_u<br>
>>> -t user_home_t" , for instance,<br>
>>> but every new file is still created as "unrestricted_u".<br>
>>><br>
>>> I know very little about selinux, and I would like to know how to<br>
>>> force all files in F14 to be user_u,<br>
>>> but keeping the user owning those files, unrestricted.<br>
>>><br>
>>> Is that possible? Is there a better solution for not having tons of<br>
>>> denials in rhel5?<br>
>>><br>
>>> Thanks.<br>
>>><br>
>>> --<br>
>>> Paulo Roma Cavalcanti<br>
>>> LCG - UFRJ<br>
>>><br>
>> One solution would be to mount with a context on one of the platforms.<br>
>><br>
>> On RHEL5 mount the users homedir with a context of nfs_t, and set the<br>
>> boolean to say allow nfs homedirs<br>
>><br>
>><br>
>> mount -o context="system_u:object_r:nfs_t:s0" /dev/ABC /home<br>
>> setsebool -P use_nfs_home_dirs 1<br>
><br>
> What happens with newly-created files whilst booted in RHEL-5 in this<br>
> case? What will Fedora 14 see them as?<br>
><br>
> Paul.<br>
<br>
</div></div>nfs_t, i think so Stephens solution is probably better? I would hope in<br>
stephens solution they would be labeled user_home_t. But it would<br>
probably be smart to run restorecon -R -v ~/ When you login on F14<br>
<div class="im">-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.11 (GNU/Linux)<br>
Comment: Using GnuPG with Fedora - <a href="http://enigmail.mozdev.org/" target="_blank">http://enigmail.mozdev.org/</a><br>
<br>
</div><br></blockquote><div><br>I would like to thank you all for the suggestions.<br><br>In rhel5, I changed my fstab this way:<br><br>LABEL=/home /home ext4 defaults,context=user_u:object_r:user_home_t:s0 1 2 <br>
<br><br>All the files labelled "unconfined_u:object_r:user_home_t:s0" in F14 are seen<br>as "user_u:object_r:user_home_t:s0" in rhel5, and my /var/log/mesages is not no longer<br>full of denials. <br><br>
However, even allowing httpd to read user content on rhel5 (files labelled user_home_t, I guess),<br>I still get some warnings from selinux troubleshooter. Does this flag really work on rhel5?<br><br>Does anyone think that using nfs_t (and setsebool -P use_nfs_home_dirs 1) would make any difference?<br>
Also, does anyone know whether rhel6 will be more "Fedora like", from an selinux point of view?<br><br>Cheers.<br><br></div></div>-- <br>Paulo Roma Cavalcanti<br>LCG - UFRJ<br>