On Mon, 2009-04-20 at 15:08 -0400, Daniel J Walsh wrote: > On 04/20/2009 02:54 PM, Bandan Das wrote: > > Hello, > > > > This is a RHEL 5.3 system with SELinux configured in the targeted mode. > > Whenever genhomedircon is invoked, either as part of loading a new > > policy module or anything else, genhomedircon will report errors going > > through the NIS database : > > > > bdas homedir /h/bdas or its parent directory conflicts with a > > defined context in /etc/selinux/targeted/contexts/files/file_contexts, > > /usr/sbin/genhomedircon will not create a new context. This usually > > indicates an incorrectly defined system account. If it is a system > > account please make sure its login shell is /sbin/nologin. > > > > /h is where the NIS home directory is automounted and the above message > > appears for all the NIS users. > > > > As expected, running genhomedircon manually with the "-n" switch will > > not spew these messages. If I look at file_contexts, I do not find any > > specified context for /h. > > > > > > Any ideas ? > > > > > > > genhomedircon is trying to label the directory above /h "/" to be > home_root_t. It sees this directory and complains. I think the problem > here is you actually have a user /h. I am sure I don't have a user "/h" on my local system. I also did a "ypcat passwd" and scanned all the users to see if there is anyone with name "h" or "\h". > What does the homedir of one of > the users look like? Do you mean on the NIS server ? Here is one of the entries from "ypcat passwd" : name:x:22832:263:First Last:/h/name:/bin/tcsh > We have the ability to disable genhomedircon in Fedora 10 and beyond. > Can I somehow prevent genhomedircon from touching /h at all ? Using the "-n" switch does make things different but I am not sure if it's going to create any other problems. Rich, I had found another similar bug : https://bugzilla.redhat.com/show_bug.cgi?id=186594 but it appears to be a different problem. Thanks! Bandan -- BSD -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
