Re: NFS Home Directory Files Mis-Labelled

[Mike Pinkerton <pselists@xxxxxxxxxxxxxx>]

On 6 May 2013, at 02:33, Miroslav Grepl wrote:

> On 04/20/2013 01:40 AM, Mike Pinkerton wrote:
> > Last summer, I set up a network with about a dozen stationary  
> > boxes and 15-20 moveable users.  All users are authenticating via  
> > FreeIPA, and have their home directories NFS-mounted from a  
> > central file server.  Both the desktop boxes and the file server  
> > were running Fedora 16.
> >
> > +  User home directories were mounted from "/srv/exports/ 
> > <user_name>".
> >
> > +  The desktop boxes had SE Linux boolean "use_nfs_home_dirs=1".
> >
> > +  The file server had "/etc/selinux/targeted/contexts/files/ 
> > file_contexts.local" with:
> >
> >     /srv   system_u:object_r:home_root_t:s0
> >
> > All was working well.
> >
> > In March, I upgraded all of the desktop boxes, as well as the file  
> > server and the FreeIPA server to Fedora 18.
> >
> > +  User home directories are still mounted from "/srv/exports/ 
> > <user_name>".
> >
> > +  The desktop boxes still have SE Linux boolean  
> > "use_nfs_home_dirs=1".
> >
> > +  The file server still has "/etc/selinux/targeted/contexts/files/ 
> > file_contexts.local" with:
> >
> >     /srv   system_u:object_r:home_root_t:s0
> >
> >
> > The problems is that, as some users create files, they are being  
> > created with context:
> >
> >     "system_u:object_r:user_home_t:s0"
> >
> > rather than:
> >
> >     "unconfined_u:object_r:user_home_t:s0"
> >
> > If I run "restorecon -FR /srv" , then the files are re-labelled to  
> > the "unconfined_u".
> >
> > I don't know how frequently files are created with the wrong context.
> >
> > Any ideas as to what is happening?
> >
> > Thanks.
> Dan wrote a great blog
>
> http://danwalsh.livejournal.com/63586.html
>
> where you can find answers. Basically "unconfined_u" tells you that  
> files have been created by a process running with  
> "unconfined_u:*:*:* context.

Miroslav, thanks for replying.

I think the "user_home_t" types are correct.  Our problem is that a  
normal user doing a normal user thing -- albeit in a NFS mounted home  
directory -- is creating files that are labelled as "system_u" rather  
than "unconfined_u", which then limits the user's subsequent ability  
to interact with the file.  If this problem existed prior to our  
upgrade to F18, we did not notice it.

From your response, I take it that some normal user processes are  
running in the wrong context, resulting in files being created with a  
"system_u" context.  Any thoughts on how to track down which  
processes are running in the wrong context, and how to fix that?

Thanks.

--
Mike

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux