SElinux concerning symlink?
Todd Denniston
Todd.Denniston at ssa.crane.navy.mil
Thu Jul 24 23:13:48 UTC 2008
Stuart Sears wrote, On 07/24/2008 07:00 PM:
> Todd Denniston wrote:
> [ edited. Any context errors resulting are all mine :) ]
>> I can agree with that, but how do you convince SEL that you desire
>> /rootlockeddown/<user>/authorized_keys to be a valid place for sshd
>> to read? note /rootlockeddown/ is not where home directories are, it
>> is where the admin approved keys are after the admin sets in
>> sshd_config: AuthorizedKeysFile /rootlockeddown/%u/authorized_keys
>
> you can use semanage to add extra path->context mappings to your policy
> (You could do this in a policy module too, if you need to apply the same
> settings to many systems)
>
> something like this... (the path regex may not be perfect. It's late here)
>
> semanage fcontext -a -f -- -t user_home_t '/rootlockeddown/[^/]*/.+'
>
> semanage --help or man semanage might help there.
>
> It also helps if you understand how file labels are decided when new
> files are created in (or plain cp'd into) a directory:
>
> 1. if there is a rule in policy that describes how particular files
> should be labelled, use that
>
> Otherwise
>
> 2. files (and sudbirs) inherit the label of their parent directory.
>
> so realistically, you could just ensure that you label
> /rootlockeddown/USER as user_home_dir_t.
>
> The semanage option is (arguably) better though.
>
> Incidentally, if you mv (or cp -a) files from one dir to another, they
> take their original labels with them. This bites people a lot.
>
>
> Stuart
Thanks for the recipe.
if /rootlockeddown/ is on NFS, would the following command do part of what is
needed? (yet more complexity, but then we do have a real world to live in :)
setsebool -P use_nfs_home_dirs=1
--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter
More information about the users
mailing list