On Thu, 2013-10-17 at 12:25 +0200, Juan Orti Alcaine wrote: > Hello, > > I'm creating a package for bitcoin, and I must have messed up the file > contexts, because the directory /var/lib/bitcoin is always labeled as > 'user_home_dir_t'. theres a function in libsemanage that creates user home dir contexts per (real) user. this function gets called by semanage/semodule when something gets committed. eg when you run semodule or semanage what it does is it tries to determine the real users on the system, and their home dirs. basically if the uid is => 1000, a valid login shell is set for the user then genhomedircon function labels the dir that is specified home dir with user home dir contexts. so if you have a system user ( not a real user) and you assign it a uid => 1000, and give it a login shell, then genhomedircon, say: ok this is a real user and so the dir that is specified user home dir for this user must have file contexts accordingly The fix would probably to change the users uid/login shell alternately. i believe, libsemanage now supports a option ignoredirs, which can be located in /etc/selinux/semanage.conf if you specify for example ignoredirs=/var/lib/bitcoin;/some/other/dir , then the semanage_genhomedircon will ignore creating file contexts for those dirs ( i believe ) , this ignoredirs option is reasonably new ( its not in rhel6 i believe) and it should probably preferably not be used instead change uid/login shell and then genhomedircon will not try to generate homedir contexts for this user i think a uid of 988 is still considered a real user id ( i think real users are 1000 + , see /etc/login,defs > > Previously, I had a regular user 'bitcoin' with a homedir in > /home/bitcoin, but I removed it and its homedir some days ago. Now it's > a system user: > > # grep bitcoin /etc/passwd > bitcoin:x:988:983:Bitcoin wallet server:/var/lib/bitcoin:/sbin/nologin > # grep bitcoin /etc/group > bitcoin:x:983: > > bitcoin.fc: > /var/lib/bitcoin(/.*)? > gen_context(system_u:object_r:bitcoin_var_lib_t,s0) > > # ls -laZ /var/lib/bitcoin/ > drwxr-x---. bitcoin bitcoin user_u:object_r:user_home_dir_t:s0 . > drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 .. > > # chcon -u system_u -t object_r -t bitcoin_var_lib_t /var/lib/bitcoin/ > > # restorecon -F -r -v /var/lib/bitcoin > restorecon reset /var/lib/bitcoin context > system_u:object_r:bitcoin_var_lib_t:s0->user_u:object_r:user_home_dir_t:s0 > > # semanage fcontext -l | grep bitcoin > /etc/bitcoin(/.*)? all files > system_u:object_r:bitcoin_conf_t:s0 > /usr/bin/bitcoind regular file > system_u:object_r:bitcoin_exec_t:s0 > /var/lib/bitcoin(/.*)? all files > system_u:object_r:bitcoin_var_lib_t:s0 > > How are the homedirs contexts managed? I can't figure a way to get it > labeled correctly. Any hint? > > Thank you. > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
