Looking at more closer at my SELinux settings (Fedora 29 Atomic), I found this: ---------- semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * root system_u s0:c0.c1023 * ------------------------------------- I can’t remember if I did the change, but following RedHat or Fedora documentation, root should be an unconfined user, right? So I did the change this way: ----------------------------------------------------- # semanage login -m -s unconfined_u -rs0:c0.c1023 root # semanage login -l ... root unconfined_u s0:c0.c1023 * # id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ---------------------------------------------------------- Fine. Now let's list the root directory: -------------------------------------------- # pwd /var/roothome # ls -alZ .... -rw-r--r--. 1 root root system_u:object_r:admin_home_t:s0 18 May 28 2018 .bash_logout -rw-r--r--. 1 root root system_u:object_r:admin_home_t:s0 193 May 28 2018 .bash_profile -rw-r--r--. 1 root root system_u:object_r:admin_home_t:s0 231 May 28 2018 .bashrc .... ------------------------------------------------- I thus wanted to change system_u to unconfined_u (Do I need to do it?) ------------------------------------------------------- # semanage fcontext -m -t admin_home_t -s unconfined_u "/var/roothome(/.*)?" ValueError: File context for /var/roothome(/.*)? is not defined # semanage fcontext -a -t admin_home_t -s unconfined_u "/var/roothome(/.*)?" # cat /etc/selinux/targeted/contexts/files/file_contexts.local .... /var/roothome(/.*)? unconfined_u:object_r:admin_home_t:s0 <-- sounds OK # restorecon -R -v /var/roothome # ls -alZ ... -rw-r--r--. 1 root root system_u:object_r:admin_home_t:s0 193 May 28 2018 .bash_profile -rw-r--r--. 1 root root system_u:object_r:admin_home_t:s0 231 May 28 2018 .bashrc ... ----------------------------------------------------- No changes. Why? Do I need to change to unconfined user, and if yes, how? Thank you for help. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
