Set context for NFS mounted homes

Andrew R. Fore arfore at valdosta.edu
Tue May 18 20:08:47 UTC 2010 

I am having an issue setting the context for NFS mounted homes.  I have set the mode to enforcing as well as enabling the booleans for support of NFS home directories.  My homes mount and my NIS users can authenticate and see them with no problem.

The issue at hand is the following report from the AVC Alert service (note: I have obscured the real hostname in this e-mail):

+++

SELinux is preventing the restorecond from using potentially mislabeled files
(arfore).

Detailed Description:

SELinux has denied restorecond access to potentially mislabeled file(s)
(arfore). This means that SELinux will not allow restorecond to use these files.
It is common for users to edit files in their home directory or tmp directories
and then move (mv) them to system directories. The problem is that the files end
up with the wrong file context which confined applications are not allowed to
access.

Allowing Access:

If you want restorecond to access this files, you need to relabel them using
restorecon -v 'arfore'. You might want to relabel the entire directory using
restorecon -R -v '<Unknown>'.

Additional Information:

Source Context                system_u:system_r:restorecond_t
Target Context                user_u:object_r:user_home_t
Target Objects                arfore [ lnk_file ]
Source                        restorecond
Source Path                   /usr/sbin/restorecond
Port                          <Unknown>
Host                          xxx.xxxx.xxx
Source RPM Packages           policycoreutils-1.33.12-14.8.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-279.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     xxx.xxxx.xxx
Platform                      Linux xxx.xxxx.xxx 2.6.18-194.3.1.el5 #1 SMP
                             Sun May 2 04:17:42 EDT 2010 x86_64 x86_64
Alert Count                   29
First Seen                    Tue May 18 15:05:01 2010
Last Seen                     Tue May 18 15:39:31 2010
Local ID                      b41fdf79-19aa-4899-8f9f-6449124e61af
Line Numbers                  

Raw Audit Messages            

host=xxx.xxxx.xxx type=AVC msg=audit(1274211571.669:196): avc:  denied  { read } for  pid=2647 comm="restorecond" name="arfore" dev=0:19 ino=24714112 scontext=system_u:system_r:restorecond_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=lnk_file

host=xxx.xxxx.xxx type=SYSCALL msg=audit(1274211571.669:196): arch=c000003e syscall=2 success=no exit=-13 a0=2b19408731e0 a1=20000 a2=0 a3=0 items=0 ppid=1 pid=2647 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecond" exe="/usr/sbin/restorecond" subj=system_u:system_r:restorecond_t:s0 key=(null)

+++

I have tried mounting the filesystem two different ways in an attempt to specify the desired context:

Manually:

mount -t nfs -o context=user_u:object_r:user_home_t SERVER_IP_HERE:/webroot/home /home

/etc/fstab

SERVER_IP_HERE:/webroot/home	/home	nfs	context="user_u:object_r:user_home_t:s0"	0 0

In both cases the file context is displayed as desired when running "ls -laZ" on my user home directory:

-rw-r--r--  arfore cs  user_u:object_r:user_home_t      .bash_login

However, after logging in via SSH I receive quite a few instances of the alert I listed above.

I understand that the long term solution would be to appropriately label each file/directory on the mounted filespace, however at the moment this is not an option since we are still running two production Solaris 10 webservers that mount the same content.

Thanks,
Andy Fore

------

Andrew R. Fore
Systems Services Associate
Valdosta State University
Ph.: 229-333-7315
Fax: 229-333-4349
Email: arfore at valdosta.edu

More information about the selinux mailing list