What is the correct way to create a users home dir
Jayson Hurst
swazup at hotmail.com
Wed Feb 12 18:57:45 UTC 2014
Its running as: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
But now that I see that I understand what is happening. I am testing this on an older version of the product and in that version the create script is actually ran by the service making the authentication request. So in my test case, su or ssh.
If I wanted to make this work for the older version (The newer version the script is launched by the daemon) what do I need to do, or what can I do?
> Date: Wed, 12 Feb 2014 13:44:06 -0500
> From: dwalsh at redhat.com
> To: swazup at hotmail.com; selinux at lists.fedoraproject.org
> Subject: Re: What is the correct way to create a users home dir
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/12/2014 01:31 PM, Jayson Hurst wrote:
> > Same results:
> >
> > # ls -laZ drwxr-xr-x. root root system_u:object_r:home_root_t:s0 .
> > dr-xr-xr-x. root root system_u:object_r:root_t:s0 ..
> >
> > # ssh tu-1 at localhost tu-1 at localhost's password:
> >
> > -sh-4.1$ ls -laZ drwx------. tu-1 UnixGroup
> > system_u:object_r:home_root_t:s0 . drwxr-xr-x. root root
> > system_u:object_r:home_root_t:s0 .. -rw-r--r--. tu-1 UnixGroup
> > system_u:object_r:home_root_t:s0 .bash_logout -rw-r--r--. tu-1 UnixGroup
> > system_u:object_r:home_root_t:s0 .bash_profile -rw-r--r--. tu-1 UnixGroup
> > system_u:object_r:home_root_t:s0 .bashrc drwxr-xr-x. tu-1 UnixGroup
> > system_u:object_r:home_root_t:s0 .gnome2 drwxr-xr-x. tu-1 UnixGroup
> > system_u:object_r:home_root_t:s0 .mozilla -rw-------. tu-1 UnixGroup
> > unconfined_u:object_r:home_root_t:s0 .vas_disauthcc_100001 -rw-r--r--. tu-1
> > UnixGroup system_u:object_r:home_root_t:s0 .vas_logon_server -sh-4.1$ exit
> > logout Connection to localhost closed.
> >
> > # ls -laZ drwxr-xr-x. root root system_u:object_r:home_root_t:s0 .
> > dr-xr-xr-x. root root system_u:object_r:root_t:s0 ..
> > drwx------. tu-1 UnixGroup system_u:object_r:home_root_t:s0 tu-1
> >
> > Does the home directory creation script have to be labelled any particular
> > type? The main daemon is running as type qasd_t and the binary is labelled
> > as qasd_exec_t, the script is labelled as qasd_bin_t. I am not sure if this
> > matters.
> >
> > unconfined_u:system_r:qasd_t:s0 root 4321 1 0 Feb11 ?
> > 00:00:12 /opt/quest/sbin/.vasd -p /var/opt/quest/vas/vasd/.vasd.pid
> > unconfined_u:system_r:qasd_t:s0 daemon 4333 4321 0 Feb11 ?
> > 00:00:23 /opt/quest/sbin/.vasd -p /var/opt/quest/vas/vasd/.vasd.pid
> >
> > The script that creates the directory is doing nothing special, just a
> > mkdir /home/$username, sets the user as the owner and changes permissions
> > and then copies over the skel files.
> >
> >
> >> Date: Wed, 12 Feb 2014 13:12:58 -0500 From: dwalsh at redhat.com To:
> >> swazup at hotmail.com; selinux at lists.fedoraproject.org Subject: Re: What is
> >> the correct way to create a users home dir
> >>
> > On 02/12/2014 01:05 PM, Jayson Hurst wrote:
> >> l# sesearch -T -s qasd_t -c dir Found 5 semantic te rules: type_member
> >> qasd_t user_home_dir_t : dir user_home_dir_t; type_transition qasd_t
> >> user_home_dir_t : dir user_home_t; type_transition qasd_t var_auth_t :
> >> dir qasd_var_auth_t; type_transition qasd_t etc_t : dir qasd_conf_t;
> >> type_transition qasd_t home_root_t : dir user_home_dir_t;
> >
> >
> > Could you test again.
> >
> >
> I wonder if the script is actually running as qasd_t, could you run id -Z
> within the script to write its label to a file.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlL7wPYACgkQrlYvE4MpobMQFwCffP8DPoNJ5anffoAgXrXSwHcP
> dvUAoIcRY1q7qaSdXIen2oWhQAe8C80D
> =02X7
> -----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140212/413086f3/attachment.html>
More information about the selinux
mailing list