Re: SElinux concerning symlink?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Stuart Sears wrote, On 07/24/2008 07:00 PM:
Todd Denniston wrote:
[ edited. Any context errors resulting are all mine :) ]
I can agree with that, but how do you convince SEL that you desire /rootlockeddown/<user>/authorized_keys to be a valid place for sshd
to read? note  /rootlockeddown/ is not where home directories are, it
is where the admin approved keys are after the admin sets in
sshd_config: AuthorizedKeysFile /rootlockeddown/%u/authorized_keys

you can use semanage to add extra path->context mappings to your policy
(You could do this in a policy module too, if you need to apply the same
settings to many systems)

something like this... (the path regex may not be perfect. It's late here)

semanage fcontext -a -f -- -t user_home_t '/rootlockeddown/[^/]*/.+'

semanage --help or man semanage might help there.

It also helps if you understand how file labels are decided when new files are created in (or plain cp'd into) a directory:

1. if there is a rule in policy that describes how particular files should be labelled, use that

Otherwise

2. files (and sudbirs) inherit the label of their parent directory.

so realistically, you could just ensure that you label
/rootlockeddown/USER as user_home_dir_t.

The semanage option is (arguably) better though.

Incidentally, if you mv (or cp -a) files from one dir to another, they take their original labels with them. This bites people a lot.


Stuart

Thanks for the recipe.

if /rootlockeddown/ is on NFS, would the following command do part of what is needed? (yet more complexity, but then we do have a real world to live in :)
   setsebool -P use_nfs_home_dirs=1

--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux