What is the correct way to create a users home dir

Wed Feb 12 20:35:44 UTC 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/12/2014 01:57 PM, Jayson Hurst wrote:
> Its running as: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> 
> But now that I see that I understand what is happening. I am testing this
> on an older version of the product and in that version the create script is
> actually ran by the service making the authentication request. So in my
> test case, su or ssh.
> 
> If I wanted to make this work for the older version (The newer version the 
> script is launched by the daemon) what do I need to do, or what can I do?
> 
You have to get the daemon running as the type, by transitioning from the init
system. or from unconfined_t.  It sounds to me like you have the daemon
running outside of the initscript and run by unconfined_t which will not do
the transition.
>> Date: Wed, 12 Feb 2014 13:44:06 -0500 From: dwalsh at redhat.com To:
>> swazup at hotmail.com; selinux at lists.fedoraproject.org Subject: Re: What is
>> the correct way to create a users home dir
>> 
> On 02/12/2014 01:31 PM, Jayson Hurst wrote:
>> Same results:
> 
>> # ls -laZ drwxr-xr-x. root root system_u:object_r:home_root_t:s0 . 
>> dr-xr-xr-x. root root system_u:object_r:root_t:s0 ..
> 
>> # ssh tu-1 at localhost tu-1 at localhost's password:
> 
>> -sh-4.1$ ls -laZ drwx------. tu-1 UnixGroup 
>> system_u:object_r:home_root_t:s0 . drwxr-xr-x. root root 
>> system_u:object_r:home_root_t:s0 .. -rw-r--r--. tu-1 UnixGroup 
>> system_u:object_r:home_root_t:s0 .bash_logout -rw-r--r--. tu-1 UnixGroup 
>> system_u:object_r:home_root_t:s0 .bash_profile -rw-r--r--. tu-1
>> UnixGroup system_u:object_r:home_root_t:s0 .bashrc drwxr-xr-x. tu-1
>> UnixGroup system_u:object_r:home_root_t:s0 .gnome2 drwxr-xr-x. tu-1
>> UnixGroup system_u:object_r:home_root_t:s0 .mozilla -rw-------. tu-1
>> UnixGroup unconfined_u:object_r:home_root_t:s0 .vas_disauthcc_100001
>> -rw-r--r--. tu-1 UnixGroup system_u:object_r:home_root_t:s0
>> .vas_logon_server -sh-4.1$ exit logout Connection to localhost closed.
> 
>> # ls -laZ drwxr-xr-x. root root system_u:object_r:home_root_t:s0 . 
>> dr-xr-xr-x. root root system_u:object_r:root_t:s0 .. drwx------. tu-1
>> UnixGroup system_u:object_r:home_root_t:s0 tu-1
> 
>> Does the home directory creation script have to be labelled any
>> particular type? The main daemon is running as type qasd_t and the binary
>> is labelled as qasd_exec_t, the script is labelled as qasd_bin_t. I am
>> not sure if this matters.
> 
>> unconfined_u:system_r:qasd_t:s0 root 4321 1 0 Feb11 ? 00:00:12
>> /opt/quest/sbin/.vasd -p /var/opt/quest/vas/vasd/.vasd.pid 
>> unconfined_u:system_r:qasd_t:s0 daemon 4333 4321 0 Feb11 ? 00:00:23
>> /opt/quest/sbin/.vasd -p /var/opt/quest/vas/vasd/.vasd.pid
> 
>> The script that creates the directory is doing nothing special, just a 
>> mkdir /home/$username, sets the user as the owner and changes
>> permissions and then copies over the skel files.
> 
> 
>>> Date: Wed, 12 Feb 2014 13:12:58 -0500 From: dwalsh at redhat.com To: 
>>> swazup at hotmail.com; selinux at lists.fedoraproject.org Subject: Re: What
>>> is the correct way to create a users home dir
> 
>> On 02/12/2014 01:05 PM, Jayson Hurst wrote:
>>> l# sesearch -T -s qasd_t -c dir Found 5 semantic te rules: type_member 
>>> qasd_t user_home_dir_t : dir user_home_dir_t; type_transition qasd_t 
>>> user_home_dir_t : dir user_home_t; type_transition qasd_t var_auth_t : 
>>> dir qasd_var_auth_t; type_transition qasd_t etc_t : dir qasd_conf_t; 
>>> type_transition qasd_t home_root_t : dir user_home_dir_t;
> 
> 
>> Could you test again.
> 
> 
> I wonder if the script is actually running as qasd_t, could you run id -Z 
> within the script to write its label to a file.
> 
> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlL72yAACgkQrlYvE4MpobNzpgCgsffh5NtIGKLQtjt88XQJ29st
YxQAn3dtY5ToAIi8RM/wO6fl3IGuJ/JV
=SyuJ
-----END PGP SIGNATURE-----