NFS Home Directory Files Mis-Labelled
Daniel J Walsh
dwalsh at redhat.com
Mon May 6 19:25:25 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/06/2013 03:02 PM, Mike Pinkerton wrote:
>
> On 6 May 2013, at 02:33, Miroslav Grepl wrote:
>
>> On 04/20/2013 01:40 AM, Mike Pinkerton wrote:
>>>
>>> Last summer, I set up a network with about a dozen stationary boxes and
>>> 15-20 moveable users. All users are authenticating via FreeIPA, and
>>> have their home directories NFS-mounted from a central file server.
>>> Both the desktop boxes and the file server were running Fedora 16.
>>>
>>> + User home directories were mounted from "/srv/exports/<user_name>".
>>>
>>> + The desktop boxes had SE Linux boolean "use_nfs_home_dirs=1".
>>>
>>> + The file server had
>>> "/etc/selinux/targeted/contexts/files/file_contexts.local" with:
>>>
>>> /srv system_u:object_r:home_root_t:s0
>>>
>>> All was working well.
>>>
>>> In March, I upgraded all of the desktop boxes, as well as the file
>>> server and the FreeIPA server to Fedora 18.
>>>
>>> + User home directories are still mounted from
>>> "/srv/exports/<user_name>".
>>>
>>> + The desktop boxes still have SE Linux boolean
>>> "use_nfs_home_dirs=1".
>>>
>>> + The file server still has
>>> "/etc/selinux/targeted/contexts/files/file_contexts.local" with:
>>>
>>> /srv system_u:object_r:home_root_t:s0
>>>
>>>
>>> The problems is that, as some users create files, they are being
>>> created with context:
>>>
>>> "system_u:object_r:user_home_t:s0"
>>>
>>> rather than:
>>>
>>> "unconfined_u:object_r:user_home_t:s0"
>>>
>>> If I run "restorecon -FR /srv" , then the files are re-labelled to the
>>> "unconfined_u".
>>>
>>> I don't know how frequently files are created with the wrong context.
>>>
>>> Any ideas as to what is happening?
>>>
>>> Thanks.
>>>
>> Dan wrote a great blog
>>
>> http://danwalsh.livejournal.com/63586.html
>>
>> where you can find answers. Basically "unconfined_u" tells you that files
>> have been created by a process running with "unconfined_u:*:*:* context.
>
> Miroslav, thanks for replying.
>
> I think the "user_home_t" types are correct. Our problem is that a normal
> user doing a normal user thing -- albeit in a NFS mounted home directory --
> is creating files that are labelled as "system_u" rather than
> "unconfined_u", which then limits the user's subsequent ability to interact
> with the file. If this problem existed prior to our upgrade to F18, we did
> not notice it.
>
> From your response, I take it that some normal user processes are running
> in the wrong context, resulting in files being created with a "system_u"
> context. Any thoughts on how to track down which processes are running in
> the wrong context, and how to fix that?
>
> Thanks.
>
SELinux does not enforce on User component in any policy we ship so this is
not a problem, but you do point out an inconsistency.
We should bring this up for discussion on the mail list, but I guess until we
get labeling NFS we can not do anything about it. The server does not know
what the label of the client process is running with.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlGIA6UACgkQrlYvE4MpobOvigCeL9DQVQRBT8MeqsyXWHgFQ3ok
UfQAoIz8WKrGaZJk+p60Zeym5rTDlkBl
=49jD
-----END PGP SIGNATURE-----
More information about the selinux
mailing list