SELinux concerning /home symlink?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have had a thread running on Fedora list about a specific SELinux issue
I have hit with F9.

The history is that I did a clean install on a machine that was previously
running F8, keeping /opt as an untouched partition and installed F9,
leaving the SELinux enforcing on.

On that /opt partition I keep the user area as /opt/Local/home, and 
as previously after the install I do
cd /
mv home home.dist
ln -s /opt/Local/home .

This then previously set my home areas to the way they were - 

On the machine in question this worked fine initially until I tried
to ssh in to the machine from another in my local LAN.

I was only able to login but could not change directory to the user home
directory.

There was a sealert message in /var/log/messages which indicated that
I should restorecon -v /opt/* which I did - 

The contexts that are relevant were previously as follows:
[mike <at> lapmike2 mike]$ ls -Zd /opt/Local/home
drwxr-xr-x  root root system_u:object_r:file_t:s0      /opt/Local/home
[mike <at> lapmike2 mike]$ ls -Zd /home
lrwxrwxrwx  root root unconfined_u:object_r:root_t:s0  /home -> /opt/Local/home
[mike <at> lapmike2 mike]$ ls -Zd /home/mike
drwx------  mike mike system_u:object_r:user_home_dir_t:s0 /home/mike
[mike <at> lapmike2 mike]$ ls -Zd /opt/Local/home/mike
drwx------  mike mike system_u:object_r:user_home_dir_t:s0 /opt/Local/home/mike
[mike <at> lapmike2 mike]$ ls -Zd /home/mike/.bash_profile
-rw-r--r--  mike mike system_u:object_r:user_home_t:s0 /home/mike/.bash_profile

I noticed that my /opt/Local/home has a type file_t whereas
a posting in fedora list indicated it should be home_root_t 

I ran restorecon -v /opt/*
The context for /opt/Local/home then had a type usr_t
So I did
chcon -t home_root_t 

At this point I could login to the machine using ssh as user mike.
However I could not use passwordless ssh login even though I did have
the previously working ~/.ssh directory.

The sealert message suggested that the context of the authorized_keys2 file
was wrong and I should run 
restorecon -v /opt/Local/home/mike/.ssh/authorized_keys2
After doing this the context seemed the same as before and ssh remains
only with a password for access and no passwordless login was possible.

I found that another user reported a similar issue:
http://www.mjmwired.net/linux/2008/06/16/
selinux-preventing-ssh-passwordless-login/
(This url should be on a single line)

So how do I proceed?
Is the problem caused by the fact that the home area is symlinked from
/home to /opt/Local/home ?

I have seen some suggestion in a blog elsewhere that symlinks are 
problematic in SELinux?  Maybe I need to create a directory /home 
and then bind mount /opt/Local/home onto it?

Any advice would be appreciated as I am very new to SELinux, but would
like to make it work rather than switching it off as I have done up to now.

Thanks
Mike

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux