SElinux concerning symlink?

Tim ignored_mailbox at yahoo.com.au
Thu Jul 24 03:21:22 UTC 2008 

On Wed, 2008-07-23 at 21:36 +0000, Mike wrote:
> I have just done a clean f9 install on a laptop where the user areas are
> on a separate partition (/opt/Local/home) on the HD.
> 
> Having left SELinux on after the install I did my usual post-install
> change of doing as root:
> cd /
> mv home home.dist
> ln -s /opt/Local/home .
> 
> Now /home is a symlink to /opt/Local/home
> 
> I can now login as a normal user..... BUT
> 
> If I now ssh into the machine from another machine on the network
> I find that I cannot get the home directory for that user!
> 
> The message is:
> Last login: Wed Jul 23 21:32:14 2008 from bla.bla.com
> Could not chdir to home directory /home/username: Permission denied
> [username at localhost /]$
> 
> I am presuming that this is an SELinux denial... even though it
> does not say so explicitely.

Look in the audit logs to see what SELinux thinks about it
(/var/log/audit/).

> I have read that there are difficulties with symlinks in SELinux
> and I wondered if someone who has been through this could advise?

I would imagine that the SELinux contexts are wrong.  They're applied to
expected filepaths (home space contexts for the usual /home/username/
filepaths), I imagine that they won't get applied across symlinks, as
it'd be too easy for someone to symlink non-public system stuff into the
middle of a public area, to try and access it.

> I have heard that replacing a symlink with a bind mount will make
> an improvement - 

If your homespace is mounted onto the normal Fedora location for home
spaces (/home/username), then the usual contexts will be applied
automatically, and things should just work.  If you put your homespace
elsewhere, you'd have to manually reset the contexts, and perhaps keep
on having to reset them as new files were created in your homespace.

Just a quick bit of searching around suggests that you use "bind" as the
options for the mount in the fstab file.  But I haven't verified this.

e.g.  /opt/Local/home  /home  none   bind


-- 
(This computer runs Fedora 7, my others run 4, 6 & 9, & CentOS 5, all using
Gnome in case that's important to the thread.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.

More information about the users mailing list