SELinux, NIS, NFS, and /home, trouble with Fedora 18 converting user_home_dir_t to detault_t

Roland Roberts roland at astrofoto.org
Mon May 27 23:01:03 UTC 2013 

I'm trying to clean up selinux contexts and having trouble. The system 
is a new install of Fedora 18, but the home directories have been 
preserved for a long time. Because the system runs boot on raid-1, it 
was installed as Fedora 17 and then I used fedup to move to Fedora 18.

My home directories are automounted via NFS and an NIS map. I mount them 
on the clients with an explicit context:

270 roland> ypcat auto.home
-rw,soft,intr,tcp,context="system_u:object_r:user_home_t:s0" 
archos.rlent.pnet:/data/home/&

However, my troubles right now are confined to the server.

The real home directory is /data/home so /data/home/roland is mounted on 
/home/roland. All clients see the same mount point, even the server 
remounts this way.

Most of the selinux context information is wrong, probably because some 
of these files have been hanging around roughly since RedHat 3.0.3. Yes, 
really. Although the content has surely changed (e.g., .bashrc).

To get started, I've done this

semanage fcontext -a -t home_root_t /data/home
semanage fcontext -a -t user_home_dir_t '/data/home/(.*)'
semanage fcontext -a -t lost_found_t /data/home/lost+found
restorecon -v -R /data/home

That gave the surprising result of doing absolutely nothing. So I 
brute-forced it and did

semanage fcontext -a -t home_root_t /data/home
semanage fcontext -a -t lost_found_t /data/home/lost+found
for D in $LIST; do semanage fcontext -a -t user_home_dir_t 
/data/home/$D; done
restorecon -v -R /data/home

The above did not work for the lost+found directory. I haven't figured 
out why. I tried deleting all the contexts I had set and starting over 
and I tried setting the context just on lost+found repeatedly to no 
avail. lost+found remains default_t.

Next, I log in via ssh to my user account. Since I have X forwarding 
turned on, this results in an .Xauthority file being created. If I run 
(as root, from another window) restorecon, I get this

[root at archos ~]# cd /data/home/roland
[root at archos roland]# restorecon -v -R /data/home/roland
restorecon reset /data/home/roland/.Xauthority context 
unconfined_u:object_r:xauth_home_t:s0->unconfined_u:object_r:default_t:s0

So the file was created with the correct context, but it gets zapped 
with restorecon. I can create a new file via touch and it gets created 
with the correct context

268 roland> ls -Z foo
-rw-rw-r--. roland roland unconfined_u:object_r:user_home_t:s0 foo
269 roland> ls -Zad .
drwxr-xr-x. roland roland system_u:object_r:user_home_dir_t:s0 .

But again, if I run restorecon, it gets converted to default_t.

I realize the whole NIS/NFS thing makes this problematic on the clients, 
but all of the above is on the server. I was hoping to get the file 
contexts fixed up, but even if I can get it to stop converting 
everything back to default_t, I haven't got a clue about all the other 
contexts I need to set (e.g., ssh_home_t for .ssh, but what else) and 
then I fear they will just get reset, too.

So, what's going on here and how do I stop it? Then after that, how do I 
go about fixing all the default_t under my home directory to be what 
they should be.

roland

-- 
		       PGP Key ID: 66 BC 3B CD
Roland B. Roberts, PhD                             RL Enterprises
roland at rlenter.com                            6818 Madeline Court
roland at astrofoto.org                           Brooklyn, NY 11220

More information about the selinux mailing list