NFS Home Directory Files Mis-Labelled

Daniel J Walsh dwalsh at redhat.com
Mon May 6 19:25:25 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/06/2013 03:02 PM, Mike Pinkerton wrote:
> 
> On 6 May 2013, at 02:33, Miroslav Grepl wrote:
> 
>> On 04/20/2013 01:40 AM, Mike Pinkerton wrote:
>>> 
>>> Last summer, I set up a network with about a dozen stationary boxes and
>>> 15-20 moveable users.  All users are authenticating via FreeIPA, and
>>> have their home directories NFS-mounted from a central file server.
>>> Both the desktop boxes and the file server were running Fedora 16.
>>> 
>>> +  User home directories were mounted from "/srv/exports/<user_name>".
>>> 
>>> +  The desktop boxes had SE Linux boolean "use_nfs_home_dirs=1".
>>> 
>>> +  The file server had 
>>> "/etc/selinux/targeted/contexts/files/file_contexts.local" with:
>>> 
>>> /srv   system_u:object_r:home_root_t:s0
>>> 
>>> All was working well.
>>> 
>>> In March, I upgraded all of the desktop boxes, as well as the file
>>> server and the FreeIPA server to Fedora 18.
>>> 
>>> +  User home directories are still mounted from
>>> "/srv/exports/<user_name>".
>>> 
>>> +  The desktop boxes still have SE Linux boolean
>>> "use_nfs_home_dirs=1".
>>> 
>>> +  The file server still has 
>>> "/etc/selinux/targeted/contexts/files/file_contexts.local" with:
>>> 
>>> /srv   system_u:object_r:home_root_t:s0
>>> 
>>> 
>>> The problems is that, as some users create files, they are being
>>> created with context:
>>> 
>>> "system_u:object_r:user_home_t:s0"
>>> 
>>> rather than:
>>> 
>>> "unconfined_u:object_r:user_home_t:s0"
>>> 
>>> If I run "restorecon -FR /srv" , then the files are re-labelled to the 
>>> "unconfined_u".
>>> 
>>> I don't know how frequently files are created with the wrong context.
>>> 
>>> Any ideas as to what is happening?
>>> 
>>> Thanks.
>>> 
>> Dan wrote a great blog
>> 
>> http://danwalsh.livejournal.com/63586.html
>> 
>> where you can find answers. Basically "unconfined_u" tells you that files
>> have been created by a process running with "unconfined_u:*:*:* context.
> 
> Miroslav, thanks for replying.
> 
> I think the "user_home_t" types are correct.  Our problem is that a normal
> user doing a normal user thing -- albeit in a NFS mounted home directory --
> is creating files that are labelled as "system_u" rather than
> "unconfined_u", which then limits the user's subsequent ability to interact
> with the file.  If this problem existed prior to our upgrade to F18, we did
> not notice it.
> 
> From your response, I take it that some normal user processes are running
> in the wrong context, resulting in files being created with a "system_u"
> context.  Any thoughts on how to track down which processes are running in
> the wrong context, and how to fix that?
> 
> Thanks.
> 
SELinux does not enforce on User component in any policy we ship so this is
not a problem, but you do point out an inconsistency.

We should bring this up for discussion on the mail list, but I guess until we
get labeling NFS we can not do anything about it.  The server does not know
what the label of the client process is running with.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGIA6UACgkQrlYvE4MpobOvigCeL9DQVQRBT8MeqsyXWHgFQ3ok
UfQAoIz8WKrGaZJk+p60Zeym5rTDlkBl
=49jD
-----END PGP SIGNATURE-----

More information about the selinux mailing list