-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/06/2013 03:02 PM, Mike Pinkerton wrote:
On 6 May 2013, at 02:33, Miroslav Grepl wrote:
> On 04/20/2013 01:40 AM, Mike Pinkerton wrote:
>>
>> Last summer, I set up a network with about a dozen stationary boxes and
>> 15-20 moveable users. All users are authenticating via FreeIPA, and
>> have their home directories NFS-mounted from a central file server.
>> Both the desktop boxes and the file server were running Fedora 16.
>>
>> + User home directories were mounted from
"/srv/exports/<user_name>".
>>
>> + The desktop boxes had SE Linux boolean "use_nfs_home_dirs=1".
>>
>> + The file server had
>> "/etc/selinux/targeted/contexts/files/file_contexts.local" with:
>>
>> /srv system_u:object_r:home_root_t:s0
>>
>> All was working well.
>>
>> In March, I upgraded all of the desktop boxes, as well as the file
>> server and the FreeIPA server to Fedora 18.
>>
>> + User home directories are still mounted from
>> "/srv/exports/<user_name>".
>>
>> + The desktop boxes still have SE Linux boolean
>> "use_nfs_home_dirs=1".
>>
>> + The file server still has
>> "/etc/selinux/targeted/contexts/files/file_contexts.local" with:
>>
>> /srv system_u:object_r:home_root_t:s0
>>
>>
>> The problems is that, as some users create files, they are being
>> created with context:
>>
>> "system_u:object_r:user_home_t:s0"
>>
>> rather than:
>>
>> "unconfined_u:object_r:user_home_t:s0"
>>
>> If I run "restorecon -FR /srv" , then the files are re-labelled to the
>> "unconfined_u".
>>
>> I don't know how frequently files are created with the wrong context.
>>
>> Any ideas as to what is happening?
>>
>> Thanks.
>>
> Dan wrote a great blog
>
>
http://danwalsh.livejournal.com/63586.html
>
> where you can find answers. Basically "unconfined_u" tells you that files
> have been created by a process running with "unconfined_u:*:*:* context.
Miroslav, thanks for replying.
I think the "user_home_t" types are correct. Our problem is that a normal
user doing a normal user thing -- albeit in a NFS mounted home directory --
is creating files that are labelled as "system_u" rather than
"unconfined_u", which then limits the user's subsequent ability to
interact
with the file. If this problem existed prior to our upgrade to F18, we did
not notice it.
From your response, I take it that some normal user processes are running
in the wrong context, resulting in files being created with a "system_u"
context. Any thoughts on how to track down which processes are running in
the wrong context, and how to fix that?
Thanks.
SELinux does not enforce on User component in any policy we ship so this is
not a problem, but you do point out an inconsistency.
We should bring this up for discussion on the mail list, but I guess until we
get labeling NFS we can not do anything about it. The server does not know
what the label of the client process is running with.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlGIA6UACgkQrlYvE4MpobOvigCeL9DQVQRBT8MeqsyXWHgFQ3ok
UfQAoIz8WKrGaZJk+p60Zeym5rTDlkBl
=49jD
-----END PGP SIGNATURE-----