Re: NFS Home Directory Files Mis-Labelled

[Manuel Wolfshant <wolfy@xxxxxxxxxxxxxxxxxx>]

On 05/06/2013 10:57 PM, Mike Pinkerton wrote:
> On 6 May 2013, at 15:25, Daniel J Walsh wrote:
>
> > On 05/06/2013 03:02 PM, Mike Pinkerton wrote:
> > > On 6 May 2013, at 02:33, Miroslav Grepl wrote:
> > >
> > > > On 04/20/2013 01:40 AM, Mike Pinkerton wrote:
> > > > > Last summer, I set up a network with about a dozen stationary 
> > > > > boxes and
> > > > > 15-20 moveable users.  All users are authenticating via FreeIPA, and
> > > > > have their home directories NFS-mounted from a central file server.
> > > > > [...]The problems is that, as some users create files, they are being
> > > > > created with context:
> > > > >
> > > > > "system_u:object_r:user_home_t:s0"
> > > > >
> > > > > rather than:
> > > > >
> > > > > "unconfined_u:object_r:user_home_t:s0"
> > > > >
> > > > > If I run "restorecon -FR /srv" , then the files are re-labelled to 
> > > > > the
> > > > > "unconfined_u".
> > > > >
> > > > > I don't know how frequently files are created with the wrong context.
> > > > >
> > > > > Any ideas as to what is happening?
> > > > >
> > > > > Thanks.
> > > > Dan wrote a great blog
> > > >
> > > > http://danwalsh.livejournal.com/63586.html
> > > >
> > > > where you can find answers. Basically "unconfined_u" tells you that 
> > > > files
> > > > have been created by a process running with "unconfined_u:*:*:* 
> > > > context.
> > >
> > > [...]
> > SELinux does not enforce on User component in any policy we ship so 
> > this is
> > not a problem, but you do point out an inconsistency.
>
> Dan, it must have created at least a wrinkle, because I did not notice 
> the labelling problem until a user complained about not being able to 
> use one of her files.  Running "restorecon -FR /srv" fixed the problem 
> for her.
>
> > We should bring this up for discussion on the mail list, but I guess 
> > until we
> > get labeling NFS we can not do anything about it.  The server does 
> > not know
> > what the label of the client process is running with.
>
> The server does the right thing some of the time.  In the same home 
> directory, I'll see some files with "unconfined_u" and others with 
> "system_u".
>
> I suppose until y'all figure this out, I'll set up a cron job to run 
> "restorecon -FR /srv" on the file server every night.
As an alternative workaround you could rely on  inotify to trigger a 
relabel each time a file is created
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux