Dan, These users do not login to the system and their shells are already set to /sbin/nologin. Thanks, Radha. -----Original Message----- From: Daniel J Walsh [mailto:dwalsh@xxxxxxxxxx] Sent: Friday, October 15, 2010 12:18 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@xxxxxxxxxx Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/15/2010 03:11 PM, Radha Venkatesh (radvenka) wrote: > > Yes, for security reasons, /dev/null is being used as the homedir for > users in our product. > > Thanks, > Radha. > > -----Original Message----- > From: Daniel J Walsh [mailto:dwalsh@xxxxxxxxxx] > Sent: Friday, October 15, 2010 12:02 PM > To: Radha Venkatesh (radvenka) > Cc: fedora-selinux-list@xxxxxxxxxx > Subject: Re: Addition of selinux users causes "Multiple same > specifications" warnings during startup > > On 10/15/2010 02:33 PM, Radha Venkatesh (radvenka) wrote: >> I have created SeLinux users using "semanage user" and tied the >> SeLinux users to Linux users using "semanage login". I find that on >> startup, there are several warnings thrown for "Multiple same > specifications". >> Below is an example > >> /etc/selinux/strict/contexts/files/file_contexts: Multiple same >> specifications for /dev/null/\.screenrc > >> I then checked and found that file_contexts has > >> file_contexts.homedirs:/dev/null/\.screenrc -- >> ccmusergrp_u:object_r:user_screen_ro_home_t:s0 >> file_contexts.homedirs:/dev/null/\.screenrc -- >> ccmusergrp_u:object_r:user_screen_ro_home_t:s0 >> file_contexts.homedirs:/dev/null/\.screenrc -- >> specialuser_u:object_r:user_screen_ro_home_t:s0 >> file_contexts.homedirs:/dev/null/\.screenrc -- >> ccmusergrp_u:object_r:user_screen_ro_home_t:s0 >> file_contexts.homedirs:/dev/null/\.screenrc -- >> ccmusergrp_u:object_r:user_screen_ro_home_t:s0 >> file_contexts.homedirs:/dev/null/\.screenrc -- >> specialuser_u:object_r:user_screen_ro_home_t:s0 > >> Looks like there is an entry for every Linux user I tied to the >> SeLinux user. > >> I am using > >> libselinux-1.33.4-5.5.el5 >> libsemanage-1.9.1-4.4.el5 >> policycoreutils-1.33.12-14.8.el5 >> libsepol-1.15.2-3.el5 > >> and do not have an option to move to later releases. > >> Is there a way for me to get rid of these warnings or suppress them, >> without changing the source code provided by RedHat? > >> Thanks, >> Radha. > > > > > > > >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > This looks like /dev/null is defined as a homedir? - -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinu x genhomedircon is looking at homedirs of what it considers real users. and generating file context based on this. This is going to cause a problem if all the users have the same homedir /dev/null. Which is what you are seeing. I don't think in RHEL5 there is a way to stop genhomedircon from being run. usepasswd=FALSE in /etc/selinux/semanage.conf does this in RHEL6. Do these users actually login to the the system, if not changing their shell to /bin/false or /sbin/nologin will stop genhomedircon from adding homedir entries. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAky4qOYACgkQrlYvE4MpobMqeACfT2890mL67gVhJeZD8ArKtmxM JIIAn0V1AXIu3FrA8zmjKsU6hk3sqbzZ =vk/i -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
