On Thu, 2013-10-17 at 12:25 +0200, Juan Orti Alcaine wrote:
Hello,
I'm creating a package for bitcoin, and I must have messed up the file
contexts, because the directory /var/lib/bitcoin is always labeled as
'user_home_dir_t'.
theres a function in libsemanage that creates user home dir contexts per
(real) user. this function gets called by semanage/semodule when
something gets committed. eg when you run semodule or semanage
what it does is it tries to determine the real users on the system, and
their home dirs. basically if the uid is => 1000, a valid login shell is
set for the user then genhomedircon function labels the dir that is
specified home dir with user home dir contexts.
so if you have a system user ( not a real user) and you assign it a uid
=> 1000, and give it a login shell, then genhomedircon, say: ok this is
a real user and so the dir that is specified user home dir for this user
must have file contexts accordingly
The fix would probably to change the users uid/login shell
alternately. i believe, libsemanage now supports a option ignoredirs,
which can be located in /etc/selinux/semanage.conf
if you specify for example ignoredirs=/var/lib/bitcoin;/some/other/dir ,
then the semanage_genhomedircon will ignore creating file contexts for
those dirs ( i believe ) , this ignoredirs option is reasonably new
( its not in rhel6 i believe) and it should probably preferably not be
used
instead change uid/login shell and then genhomedircon will not try to
generate homedir contexts for this user
i think a uid of 988 is still considered a real user id ( i think real
users are 1000 + , see /etc/login,defs
Previously, I had a regular user 'bitcoin' with a homedir in
/home/bitcoin, but I removed it and its homedir some days ago. Now it's
a system user:
# grep bitcoin /etc/passwd
bitcoin:x:988:983:Bitcoin wallet server:/var/lib/bitcoin:/sbin/nologin
# grep bitcoin /etc/group
bitcoin:x:983:
bitcoin.fc:
/var/lib/bitcoin(/.*)?
gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
# ls -laZ /var/lib/bitcoin/
drwxr-x---. bitcoin bitcoin user_u:object_r:user_home_dir_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 ..
# chcon -u system_u -t object_r -t bitcoin_var_lib_t /var/lib/bitcoin/
# restorecon -F -r -v /var/lib/bitcoin
restorecon reset /var/lib/bitcoin context
system_u:object_r:bitcoin_var_lib_t:s0->user_u:object_r:user_home_dir_t:s0
# semanage fcontext -l | grep bitcoin
/etc/bitcoin(/.*)? all files
system_u:object_r:bitcoin_conf_t:s0
/usr/bin/bitcoind regular file
system_u:object_r:bitcoin_exec_t:s0
/var/lib/bitcoin(/.*)? all files
system_u:object_r:bitcoin_var_lib_t:s0
How are the homedirs contexts managed? I can't figure a way to get it
labeled correctly. Any hint?
Thank you.