NFS Home Directory Files Mis-Labelled

Manuel Wolfshant wolfy at nobugconsulting.ro
Mon May 6 20:29:28 UTC 2013 

On 05/06/2013 10:57 PM, Mike Pinkerton wrote:
>
> On 6 May 2013, at 15:25, Daniel J Walsh wrote:
>
>> On 05/06/2013 03:02 PM, Mike Pinkerton wrote:
>>>
>>> On 6 May 2013, at 02:33, Miroslav Grepl wrote:
>>>
>>>> On 04/20/2013 01:40 AM, Mike Pinkerton wrote:
>>>>>
>>>>> Last summer, I set up a network with about a dozen stationary 
>>>>> boxes and
>>>>> 15-20 moveable users.  All users are authenticating via FreeIPA, and
>>>>> have their home directories NFS-mounted from a central file server.
>>>>> [...]The problems is that, as some users create files, they are being
>>>>> created with context:
>>>>>
>>>>> "system_u:object_r:user_home_t:s0"
>>>>>
>>>>> rather than:
>>>>>
>>>>> "unconfined_u:object_r:user_home_t:s0"
>>>>>
>>>>> If I run "restorecon -FR /srv" , then the files are re-labelled to 
>>>>> the
>>>>> "unconfined_u".
>>>>>
>>>>> I don't know how frequently files are created with the wrong context.
>>>>>
>>>>> Any ideas as to what is happening?
>>>>>
>>>>> Thanks.
>>>>>
>>>> Dan wrote a great blog
>>>>
>>>> http://danwalsh.livejournal.com/63586.html
>>>>
>>>> where you can find answers. Basically "unconfined_u" tells you that 
>>>> files
>>>> have been created by a process running with "unconfined_u:*:*:* 
>>>> context.
>>>
>>> [...]
>>>
>> SELinux does not enforce on User component in any policy we ship so 
>> this is
>> not a problem, but you do point out an inconsistency.
>
> Dan, it must have created at least a wrinkle, because I did not notice 
> the labelling problem until a user complained about not being able to 
> use one of her files.  Running "restorecon -FR /srv" fixed the problem 
> for her.
>
>> We should bring this up for discussion on the mail list, but I guess 
>> until we
>> get labeling NFS we can not do anything about it.  The server does 
>> not know
>> what the label of the client process is running with.
>
> The server does the right thing some of the time.  In the same home 
> directory, I'll see some files with "unconfined_u" and others with 
> "system_u".
>
> I suppose until y'all figure this out, I'll set up a cron job to run 
> "restorecon -FR /srv" on the file server every night.
As an alternative workaround you could rely on  inotify to trigger a 
relabel each time a file is created

More information about the selinux mailing list