On 6 May 2013, at 02:33, Miroslav Grepl wrote:
On 04/20/2013 01:40 AM, Mike Pinkerton wrote:
>
> Last summer, I set up a network with about a dozen stationary
> boxes and 15-20 moveable users. All users are authenticating via
> FreeIPA, and have their home directories NFS-mounted from a
> central file server. Both the desktop boxes and the file server
> were running Fedora 16.
>
> + User home directories were mounted from "/srv/exports/
> <user_name>".
>
> + The desktop boxes had SE Linux boolean "use_nfs_home_dirs=1".
>
> + The file server had "/etc/selinux/targeted/contexts/files/
> file_contexts.local" with:
>
> /srv system_u:object_r:home_root_t:s0
>
> All was working well.
>
> In March, I upgraded all of the desktop boxes, as well as the file
> server and the FreeIPA server to Fedora 18.
>
> + User home directories are still mounted from "/srv/exports/
> <user_name>".
>
> + The desktop boxes still have SE Linux boolean
> "use_nfs_home_dirs=1".
>
> + The file server still has "/etc/selinux/targeted/contexts/files/
> file_contexts.local" with:
>
> /srv system_u:object_r:home_root_t:s0
>
>
> The problems is that, as some users create files, they are being
> created with context:
>
> "system_u:object_r:user_home_t:s0"
>
> rather than:
>
> "unconfined_u:object_r:user_home_t:s0"
>
> If I run "restorecon -FR /srv" , then the files are re-labelled to
> the "unconfined_u".
>
> I don't know how frequently files are created with the wrong context.
>
> Any ideas as to what is happening?
>
> Thanks.
>
Dan wrote a great blog
http://danwalsh.livejournal.com/63586.html
where you can find answers. Basically "unconfined_u" tells you that
files have been created by a process running with
"unconfined_u:*:*:* context.
Miroslav, thanks for replying.
I think the "user_home_t" types are correct. Our problem is that a
normal user doing a normal user thing -- albeit in a NFS mounted home
directory -- is creating files that are labelled as "system_u" rather
than "unconfined_u", which then limits the user's subsequent ability
to interact with the file. If this problem existed prior to our
upgrade to F18, we did not notice it.
From your response, I take it that some normal user processes are
running in the wrong context, resulting in files being created with a
"system_u" context. Any thoughts on how to track down which
processes are running in the wrong context, and how to fix that?
Thanks.
--
Mike