NFS Home Directory Files Mis-Labelled

yersinia yersinia.spiros at gmail.com
Tue May 7 06:04:04 UTC 2013 

Restorecond perhaps can help here

best

2013/5/6, Manuel Wolfshant <wolfy at nobugconsulting.ro>:
> On 05/06/2013 10:57 PM, Mike Pinkerton wrote:
>>
>> On 6 May 2013, at 15:25, Daniel J Walsh wrote:
>>
>>> On 05/06/2013 03:02 PM, Mike Pinkerton wrote:
>>>>
>>>> On 6 May 2013, at 02:33, Miroslav Grepl wrote:
>>>>
>>>>> On 04/20/2013 01:40 AM, Mike Pinkerton wrote:
>>>>>>
>>>>>> Last summer, I set up a network with about a dozen stationary
>>>>>> boxes and
>>>>>> 15-20 moveable users.  All users are authenticating via FreeIPA, and
>>>>>> have their home directories NFS-mounted from a central file server.
>>>>>> [...]The problems is that, as some users create files, they are being
>>>>>> created with context:
>>>>>>
>>>>>> "system_u:object_r:user_home_t:s0"
>>>>>>
>>>>>> rather than:
>>>>>>
>>>>>> "unconfined_u:object_r:user_home_t:s0"
>>>>>>
>>>>>> If I run "restorecon -FR /srv" , then the files are re-labelled to
>>>>>> the
>>>>>> "unconfined_u".
>>>>>>
>>>>>> I don't know how frequently files are created with the wrong context.
>>>>>>
>>>>>> Any ideas as to what is happening?
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>> Dan wrote a great blog
>>>>>
>>>>> http://danwalsh.livejournal.com/63586.html
>>>>>
>>>>> where you can find answers. Basically "unconfined_u" tells you that
>>>>> files
>>>>> have been created by a process running with "unconfined_u:*:*:*
>>>>> context.
>>>>
>>>> [...]
>>>>
>>> SELinux does not enforce on User component in any policy we ship so
>>> this is
>>> not a problem, but you do point out an inconsistency.
>>
>> Dan, it must have created at least a wrinkle, because I did not notice
>> the labelling problem until a user complained about not being able to
>> use one of her files.  Running "restorecon -FR /srv" fixed the problem
>> for her.
>>
>>> We should bring this up for discussion on the mail list, but I guess
>>> until we
>>> get labeling NFS we can not do anything about it.  The server does
>>> not know
>>> what the label of the client process is running with.
>>
>> The server does the right thing some of the time.  In the same home
>> directory, I'll see some files with "unconfined_u" and others with
>> "system_u".
>>
>> I suppose until y'all figure this out, I'll set up a cron job to run
>> "restorecon -FR /srv" on the file server every night.
> As an alternative workaround you could rely on  inotify to trigger a
> relabel each time a file is created
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-- 
Inviato dal mio dispositivo mobile

More information about the selinux mailing list