NFS Home Directory Files Mis-Labelled

Mike Pinkerton pselists at mindspring.com
Mon May 6 19:02:21 UTC 2013 

On 6 May 2013, at 02:33, Miroslav Grepl wrote:

> On 04/20/2013 01:40 AM, Mike Pinkerton wrote:
>>
>> Last summer, I set up a network with about a dozen stationary  
>> boxes and 15-20 moveable users.  All users are authenticating via  
>> FreeIPA, and have their home directories NFS-mounted from a  
>> central file server.  Both the desktop boxes and the file server  
>> were running Fedora 16.
>>
>> +  User home directories were mounted from "/srv/exports/ 
>> <user_name>".
>>
>> +  The desktop boxes had SE Linux boolean "use_nfs_home_dirs=1".
>>
>> +  The file server had "/etc/selinux/targeted/contexts/files/ 
>> file_contexts.local" with:
>>
>>     /srv   system_u:object_r:home_root_t:s0
>>
>> All was working well.
>>
>> In March, I upgraded all of the desktop boxes, as well as the file  
>> server and the FreeIPA server to Fedora 18.
>>
>> +  User home directories are still mounted from "/srv/exports/ 
>> <user_name>".
>>
>> +  The desktop boxes still have SE Linux boolean  
>> "use_nfs_home_dirs=1".
>>
>> +  The file server still has "/etc/selinux/targeted/contexts/files/ 
>> file_contexts.local" with:
>>
>>     /srv   system_u:object_r:home_root_t:s0
>>
>>
>> The problems is that, as some users create files, they are being  
>> created with context:
>>
>>     "system_u:object_r:user_home_t:s0"
>>
>> rather than:
>>
>>     "unconfined_u:object_r:user_home_t:s0"
>>
>> If I run "restorecon -FR /srv" , then the files are re-labelled to  
>> the "unconfined_u".
>>
>> I don't know how frequently files are created with the wrong context.
>>
>> Any ideas as to what is happening?
>>
>> Thanks.
>>
> Dan wrote a great blog
>
> http://danwalsh.livejournal.com/63586.html
>
> where you can find answers. Basically "unconfined_u" tells you that  
> files have been created by a process running with  
> "unconfined_u:*:*:* context.

Miroslav, thanks for replying.

I think the "user_home_t" types are correct.  Our problem is that a  
normal user doing a normal user thing -- albeit in a NFS mounted home  
directory -- is creating files that are labelled as "system_u" rather  
than "unconfined_u", which then limits the user's subsequent ability  
to interact with the file.  If this problem existed prior to our  
upgrade to F18, we did not notice it.

 From your response, I take it that some normal user processes are  
running in the wrong context, resulting in files being created with a  
"system_u" context.  Any thoughts on how to track down which  
processes are running in the wrong context, and how to fix that?

Thanks.

-- 
Mike

More information about the selinux mailing list