FC4 policy: problems with /home

[Daniel J Walsh]

Ruth Ivimey-Cook wrote:

> Folks,
>
> I've updated a fileserver to FC4, and have a problem with the policy 
> settings for /home.
>
> Under /home I have directories for:
> - users home directories
> - samba, also containing some windows user profiles
> - the server's web hierachy (what RH likes to put in /var/www)
> - general shared files (e.g. mp3s)
>
> Under FC3 all I had to do to get everything working was to include a 
> line equivalent to that for /var/www, but for /web  (why not /home/web 
> ? because /web is a softlink to /home web).
>
> Now, it rejects /web, so I tried adding /home/web to apache.fc, but 
> that has no noticeable effect when I do "restorecon -R /home/web".
>
> In addition, something is now preventing access to /home/samba/*, I 
> think because it's called from in home_root_t and the files there are 
> in user_home_t. See below for the log messages.
>
> Can anyone help me with pointers out of this mess?
>
> Thanks,
>
> Ruth
>
>
> Jul 14 14:07:49 filestore kernel: [4379544.608000] 
> audit(1121346469.104:0): avc:  denied  { getattr } for  path=/home 
> dev=md2 ino=2 scontext=system_u:system_r:smbd_t 
> tcontext=system_u:object_r:home_root_t tclass=dir
> Jul 14 14:07:49 filestore kernel: [4379544.608000] 
> audit(1121346469.104:0): avc:  denied  { read } for  name=/ dev=md2 
> ino=2 scontext=system_u:system_r:smbd_t 
> tcontext=system_u:object_r:home_root_t tclass=dir
> Jul 14 14:07:49 filestore kernel: [4379544.609000] 
> audit(1121346469.105:0): avc:  denied  { getattr } for  
> path=/home/rivimey/.kde dev=md2 ino=6508546 
> scontext=system_u:system_r:smbd_t tcontext=user_u:object_r:user_home_t 
> tclass=dir
> Jul 14 14:07:49 filestore kernel: [4379544.609000] 
> audit(1121346469.105:0): avc:  denied  { getattr } for  
> path=/home/rivimey/.ICEauthority dev=md2 ino=6508597 
> scontext=system_u:system_r:smbd_t tcontext=user_u:object_r:user_home_t 
> tclass=file
>
does
setsebool -P samba_enable_home_dirs=1
help?

--