On 04/20/2009 03:36 PM, Bandan Das wrote:
On Mon, 2009-04-20 at 15:08 -0400, Daniel J Walsh wrote:
On 04/20/2009 02:54 PM, Bandan Das wrote:
Hello,
This is a RHEL 5.3 system with SELinux configured in the targeted mode.
Whenever genhomedircon is invoked, either as part of loading a new
policy module or anything else, genhomedircon will report errors going
through the NIS database :
bdas homedir /h/bdas or its parent directory conflicts with a
defined context in /etc/selinux/targeted/contexts/files/file_contexts,
/usr/sbin/genhomedircon will not create a new context. This usually
indicates an incorrectly defined system account. If it is a system
account please make sure its login shell is /sbin/nologin.
/h is where the NIS home directory is automounted and the above message
appears for all the NIS users.
As expected, running genhomedircon manually with the "-n" switch will
not spew these messages. If I look at file_contexts, I do not find any
specified context for /h.
Any ideas ?
genhomedircon is trying to label the directory above /h "/" to be
home_root_t. It sees this directory and complains. I think the problem
here is you actually have a user /h.
I am sure I don't have a user "/h" on my local system. I also did a
"ypcat passwd" and scanned all the users to see if there is anyone with
name "h" or "\h".
What does the homedir of one of
the users look like?
Do you mean on the NIS server ?
Here is one of the entries from "ypcat passwd" :
name:x:22832:263:First Last:/h/name:/bin/tcsh
We have the ability to disable genhomedircon in Fedora 10 and beyond.
Can I somehow prevent genhomedircon from touching /h at all ? Using the
"-n" switch does make things different but I am not sure if it's going
to create any other problems.
Rich, I had found another similar bug :
https://bugzilla.redhat.com/show_bug.cgi?id=186594 but it appears to be
a different problem.
Thanks!
Bandan
genhomedircon on RHEL5 is a python script so you can edit it and have it
exit on start or ignore /h
But if we update policycoreutils, you changes would get overwritten.
I believe this works but I never tried it.
Add the following to /etc/selinux/semanage.conf and it will use the
alternate script instead of the standard
[genhomedircon]
path = /usr/local/sbin/genhomedircon_modified args = -t $@
[end]
[genhomedircon]
path = /usr/bin/true args = -t $@
[end]
would cause it to always succeed and do nothing. ( I think.)
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
