NFS Home Directory Files Mis-Labelled

Miroslav Grepl mgrepl at redhat.com
Mon May 6 06:33:16 UTC 2013 

On 04/20/2013 01:40 AM, Mike Pinkerton wrote:
> [Note:  I sent this message yesterday without first subscribing to the 
> list -- intending to check the web archive for responses.  Because my 
> message has not yet shown up in the web archive, I subscribed in order 
> to re-send this.  My apologies if both messages make it out of the 
> moderation queue.]
>
> Last summer, I set up a network with about a dozen stationary boxes 
> and 15-20 moveable users.  All users are authenticating via FreeIPA, 
> and have their home directories NFS-mounted from a central file 
> server.  Both the desktop boxes and the file server were running 
> Fedora 16.
>
> +  User home directories were mounted from "/srv/exports/<user_name>".
>
> +  The desktop boxes had SE Linux boolean "use_nfs_home_dirs=1".
>
> +  The file server had 
> "/etc/selinux/targeted/contexts/files/file_contexts.local" with:
>
>     /srv   system_u:object_r:home_root_t:s0
>
> All was working well.
>
> In March, I upgraded all of the desktop boxes, as well as the file 
> server and the FreeIPA server to Fedora 18.
>
> +  User home directories are still mounted from 
> "/srv/exports/<user_name>".
>
> +  The desktop boxes still have SE Linux boolean "use_nfs_home_dirs=1".
>
> +  The file server still has 
> "/etc/selinux/targeted/contexts/files/file_contexts.local" with:
>
>     /srv   system_u:object_r:home_root_t:s0
>
>
> The problems is that, as some users create files, they are being 
> created with context:
>
>     "system_u:object_r:user_home_t:s0"
>
> rather than:
>
>     "unconfined_u:object_r:user_home_t:s0"
>
> If I run "restorecon -FR /srv" , then the files are re-labelled to the 
> "unconfined_u".
>
> I don't know how frequently files are created with the wrong context.
>
> Any ideas as to what is happening?
>
> Thanks.
>
Dan wrote a great blog

http://danwalsh.livejournal.com/63586.html

where you can find answers. Basically "unconfined_u" tells you that 
files have been created by a process running with "unconfined_u:*:*:* 
context.

Regards,
Miroslav

More information about the selinux mailing list