Policy for authenticating domain users

[Scott Salley]

> On 02/15/2010 01:27 PM, Scott Salley wrote:
>> I'm working on a set of patches to integrate Likewise Open (Active
>> Directory authentication for Unix/Linux/Mac) into Fedora/SELinux.
>> 
>> I am having trouble defining how a user's home directory should be
>> handled.
>> 
>> We don't place users directly in /home as the domain user account
name
>> may conflict with an existing account. Instead, we use /home/%D/%U
>> where %D is the domain and %U is the user account.  (We may have
users
>> with the same account name in different domains.)
>> 
>> I want to make sure that if users are joined while SELinux is not
>> enabled, and then SELinux is re-enabled, the files get the proper
>> contexts.

> Do you know the name of all domains?
>
> In Fedora 12
>
> for d in $DOMAINS; do 
> semanage fcontext -a -e /home /home/$d
> done

I don't know the names of all the domains ahead of time, but I can call
semanage with those arguments as we set up a user's environment. I
already tried running semanage twice with the same arguments for adding
the equivalence and it correctly errors out.

I've now run into this message:

type=AVC msg=audit(1266523695.550:22225): avc:  denied  { relabelto }
for  pid=3158 comm="lsassd" name="CORPQA" dev=dm-0 ino=195681
scontext=unconfined_u:system_r:lsassd_t:s0
tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1266523695.550:22225): arch=c000003e syscall=188
success=yes exit=0 a0=7fab640399f0 a1=3ea9415649 a2=7fab64027990 a3=21
items=0 ppid=2790 pid=3158 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lsassd"
exe="/usr/sbin/lsassd" subj=unconfined_u:system_r:lsassd_t:s0 key=(null)

which does not go away with the addition of this rule:

allow lsassd_t home_root_t:dir relabelto;

Is there something special for 'relabelto' or 'home_root_t' that I'm not
aware of? (I'm trying to create /home/DOMAIN and apply the appropriate
label on /home/DOMAIN via matchpathcon/setfilecon).