On Jul 20, 2010, at 9:23 AM, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 07/20/2010 08:08 AM, Vadym Chepkov wrote: >> >> On Jul 19, 2010, at 9:32 AM, Daniel J Walsh wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On 07/16/2010 12:56 PM, Vadym Chepkov wrote: >>>> Hi, >>>> >>>> Whenever I try to modify a policy I get a warning like this: >>>> >>>> /usr/sbin/genhomedircon will not create a new context. This usually indicates an incorrectly defined system account. If it is a system account please make sure its login shell is /sbin/nologin. >>>> >>>> And this is true, I did create a system account with home in /var/lib/application >>>> But, I need this account to have a real shell. How can I make SELinux happy? >>>> >>>> Thank you, >>>> Vadym Chepkov >>>> -- >>>> selinux mailing list >>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> Can you set the UID < 500? >>> >>> Which OS is causing this? >>> >>> In F12 and F13 you can add >>> >>> >>> usepasswd=FALSE >>> >>> to /etc/selinux/semanage.conf >>> >>> Which will tell genhomedircon to stop looking in /etc/passwd for homedirs. >> >> >> It's RHEL5, so, no such option in semanage.conf >> >> I have 2 userid defined this way: >> >> app:x:610:610:App subsystem:/var/lib/application:/bin/bash >> appftp:x:611:611:App ftp subsystem:/var/lib/application/ftproot:/bin/bash >> >> >> SELinux is only unhappy about the first one. >> >> I will try to change id, but it's strange it only affect one out of two >> >> Thanks, >> Vadym >> > genhomedircon is looking for a conflict of the labeling of the parent > directory. > > For app is wants to label /var/lib as home_root_t, but it sees a > conflict in that /var/lib has a label in file_context file of var_lib_t. > So it complains. > > For /var/lib/application/ftproot it looks for /var/lib/application in > the file_context file, and does not find the line so it can label > /var/lib/application as home_root_t and it is successful. I think in > neither case you want those labels. > > genhomedircon identifies "Real Users" As any user with a UID > 0 and a > shell in /etc/shells and not the shell /bin/false or /sbin/nologin. > > > 500, I assume usermod fixed the problem, thank you. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
