-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/06/2013 03:02 PM, Mike Pinkerton wrote: > > On 6 May 2013, at 02:33, Miroslav Grepl wrote: > >> On 04/20/2013 01:40 AM, Mike Pinkerton wrote: >>> >>> Last summer, I set up a network with about a dozen stationary boxes and >>> 15-20 moveable users. All users are authenticating via FreeIPA, and >>> have their home directories NFS-mounted from a central file server. >>> Both the desktop boxes and the file server were running Fedora 16. >>> >>> + User home directories were mounted from "/srv/exports/<user_name>". >>> >>> + The desktop boxes had SE Linux boolean "use_nfs_home_dirs=1". >>> >>> + The file server had >>> "/etc/selinux/targeted/contexts/files/file_contexts.local" with: >>> >>> /srv system_u:object_r:home_root_t:s0 >>> >>> All was working well. >>> >>> In March, I upgraded all of the desktop boxes, as well as the file >>> server and the FreeIPA server to Fedora 18. >>> >>> + User home directories are still mounted from >>> "/srv/exports/<user_name>". >>> >>> + The desktop boxes still have SE Linux boolean >>> "use_nfs_home_dirs=1". >>> >>> + The file server still has >>> "/etc/selinux/targeted/contexts/files/file_contexts.local" with: >>> >>> /srv system_u:object_r:home_root_t:s0 >>> >>> >>> The problems is that, as some users create files, they are being >>> created with context: >>> >>> "system_u:object_r:user_home_t:s0" >>> >>> rather than: >>> >>> "unconfined_u:object_r:user_home_t:s0" >>> >>> If I run "restorecon -FR /srv" , then the files are re-labelled to the >>> "unconfined_u". >>> >>> I don't know how frequently files are created with the wrong context. >>> >>> Any ideas as to what is happening? >>> >>> Thanks. >>> >> Dan wrote a great blog >> >> http://danwalsh.livejournal.com/63586.html >> >> where you can find answers. Basically "unconfined_u" tells you that files >> have been created by a process running with "unconfined_u:*:*:* context. > > Miroslav, thanks for replying. > > I think the "user_home_t" types are correct. Our problem is that a normal > user doing a normal user thing -- albeit in a NFS mounted home directory -- > is creating files that are labelled as "system_u" rather than > "unconfined_u", which then limits the user's subsequent ability to interact > with the file. If this problem existed prior to our upgrade to F18, we did > not notice it. > > From your response, I take it that some normal user processes are running > in the wrong context, resulting in files being created with a "system_u" > context. Any thoughts on how to track down which processes are running in > the wrong context, and how to fix that? > > Thanks. > SELinux does not enforce on User component in any policy we ship so this is not a problem, but you do point out an inconsistency. We should bring this up for discussion on the mail list, but I guess until we get labeling NFS we can not do anything about it. The server does not know what the label of the client process is running with. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlGIA6UACgkQrlYvE4MpobOvigCeL9DQVQRBT8MeqsyXWHgFQ3ok UfQAoIz8WKrGaZJk+p60Zeym5rTDlkBl =49jD -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
