Restorecond perhaps can help here best 2013/5/6, Manuel Wolfshant <wolfy@xxxxxxxxxxxxxxxxxx>: > On 05/06/2013 10:57 PM, Mike Pinkerton wrote: >> >> On 6 May 2013, at 15:25, Daniel J Walsh wrote: >> >>> On 05/06/2013 03:02 PM, Mike Pinkerton wrote: >>>> >>>> On 6 May 2013, at 02:33, Miroslav Grepl wrote: >>>> >>>>> On 04/20/2013 01:40 AM, Mike Pinkerton wrote: >>>>>> >>>>>> Last summer, I set up a network with about a dozen stationary >>>>>> boxes and >>>>>> 15-20 moveable users. All users are authenticating via FreeIPA, and >>>>>> have their home directories NFS-mounted from a central file server. >>>>>> [...]The problems is that, as some users create files, they are being >>>>>> created with context: >>>>>> >>>>>> "system_u:object_r:user_home_t:s0" >>>>>> >>>>>> rather than: >>>>>> >>>>>> "unconfined_u:object_r:user_home_t:s0" >>>>>> >>>>>> If I run "restorecon -FR /srv" , then the files are re-labelled to >>>>>> the >>>>>> "unconfined_u". >>>>>> >>>>>> I don't know how frequently files are created with the wrong context. >>>>>> >>>>>> Any ideas as to what is happening? >>>>>> >>>>>> Thanks. >>>>>> >>>>> Dan wrote a great blog >>>>> >>>>> http://danwalsh.livejournal.com/63586.html >>>>> >>>>> where you can find answers. Basically "unconfined_u" tells you that >>>>> files >>>>> have been created by a process running with "unconfined_u:*:*:* >>>>> context. >>>> >>>> [...] >>>> >>> SELinux does not enforce on User component in any policy we ship so >>> this is >>> not a problem, but you do point out an inconsistency. >> >> Dan, it must have created at least a wrinkle, because I did not notice >> the labelling problem until a user complained about not being able to >> use one of her files. Running "restorecon -FR /srv" fixed the problem >> for her. >> >>> We should bring this up for discussion on the mail list, but I guess >>> until we >>> get labeling NFS we can not do anything about it. The server does >>> not know >>> what the label of the client process is running with. >> >> The server does the right thing some of the time. In the same home >> directory, I'll see some files with "unconfined_u" and others with >> "system_u". >> >> I suppose until y'all figure this out, I'll set up a cron job to run >> "restorecon -FR /srv" on the file server every night. > As an alternative workaround you could rely on inotify to trigger a > relabel each time a file is created > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- Inviato dal mio dispositivo mobile -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
