system user home

Vadym Chepkov vchepkov at gmail.com
Tue Jul 20 13:45:22 UTC 2010 

On Jul 20, 2010, at 9:23 AM, Daniel J Walsh wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 07/20/2010 08:08 AM, Vadym Chepkov wrote:
>> 
>> On Jul 19, 2010, at 9:32 AM, Daniel J Walsh wrote:
>> 
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>> 
>>> On 07/16/2010 12:56 PM, Vadym Chepkov wrote:
>>>> Hi,
>>>> 
>>>> Whenever I try to modify a policy I get a warning like this:
>>>> 
>>>> /usr/sbin/genhomedircon will not create a new context. This usually indicates an incorrectly defined system account.  If it is a system account please make sure its login shell is /sbin/nologin.
>>>> 
>>>> And this is true, I did create a system account with home in /var/lib/application
>>>> But, I need this account to have a real shell. How can I make SELinux happy?
>>>> 
>>>> Thank you,
>>>> Vadym Chepkov
>>>> --
>>>> selinux mailing list
>>>> selinux at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> Can you set the UID < 500?
>>> 
>>> Which OS is causing this?
>>> 
>>> In F12 and F13 you can add
>>> 
>>> 
>>> usepasswd=FALSE
>>> 
>>> to /etc/selinux/semanage.conf
>>> 
>>> Which will tell genhomedircon to stop looking in /etc/passwd for homedirs.
>> 
>> 
>> It's RHEL5, so, no such option in semanage.conf
>> 
>> I have 2 userid defined this way:
>> 
>> app:x:610:610:App subsystem:/var/lib/application:/bin/bash
>> appftp:x:611:611:App ftp subsystem:/var/lib/application/ftproot:/bin/bash
>> 
>> 
>> SELinux is only unhappy about the first one.
>> 
>> I will try to change id, but it's strange it only affect one out of two
>> 
>> Thanks,
>> Vadym
>> 
> genhomedircon is looking for a conflict of the labeling of the parent
> directory.
> 
> For app is wants to label /var/lib as home_root_t, but it sees a
> conflict in that /var/lib has a label in file_context file of var_lib_t.
> So it complains.
> 
> For /var/lib/application/ftproot it looks for /var/lib/application in
> the file_context file, and does not find the line so it can label
> /var/lib/application as home_root_t and it is successful.  I think in
> neither case you want those labels.
> 
> genhomedircon identifies "Real Users" As any user with a UID > 0 and a
> shell in /etc/shells and not the shell /bin/false or /sbin/nologin.
> 
> 


> 500, I assume

usermod fixed the problem, thank you.

More information about the selinux mailing list