On Mon, 2009-04-20 at 15:50 -0400, Daniel J Walsh wrote: > On 04/20/2009 03:36 PM, Bandan Das wrote: > > On Mon, 2009-04-20 at 15:08 -0400, Daniel J Walsh wrote: > >> On 04/20/2009 02:54 PM, Bandan Das wrote: > >>> Hello, > >>> > >>> This is a RHEL 5.3 system with SELinux configured in the targeted mode. > >>> Whenever genhomedircon is invoked, either as part of loading a new > >>> policy module or anything else, genhomedircon will report errors going > >>> through the NIS database : > >>> > >>> bdas homedir /h/bdas or its parent directory conflicts with a > >>> defined context in /etc/selinux/targeted/contexts/files/file_contexts, > >>> /usr/sbin/genhomedircon will not create a new context. This usually > >>> indicates an incorrectly defined system account. If it is a system > >>> account please make sure its login shell is /sbin/nologin. > >>> > >>> /h is where the NIS home directory is automounted and the above message > >>> appears for all the NIS users. > >>> > >>> As expected, running genhomedircon manually with the "-n" switch will > >>> not spew these messages. If I look at file_contexts, I do not find any > >>> specified context for /h. > >>> > >>> > >>> Any ideas ? > >>> > >>> > >>> > >> genhomedircon is trying to label the directory above /h "/" to be > >> home_root_t. It sees this directory and complains. I think the problem > >> here is you actually have a user /h. > > I am sure I don't have a user "/h" on my local system. I also did a > > "ypcat passwd" and scanned all the users to see if there is anyone with > > name "h" or "\h". > > > >> What does the homedir of one of > >> the users look like? > > Do you mean on the NIS server ? > > Here is one of the entries from "ypcat passwd" : > > > > name:x:22832:263:First Last:/h/name:/bin/tcsh > > > >> We have the ability to disable genhomedircon in Fedora 10 and beyond. > >> > > Can I somehow prevent genhomedircon from touching /h at all ? Using the > > "-n" switch does make things different but I am not sure if it's going > > to create any other problems. > > > > Rich, I had found another similar bug : > > https://bugzilla.redhat.com/show_bug.cgi?id=186594 but it appears to be > > a different problem. > > > > Thanks! > > Bandan > > > genhomedircon on RHEL5 is a python script so you can edit it and have it > exit on start or ignore /h > > But if we update policycoreutils, you changes would get overwritten. > > I believe this works but I never tried it. > > Add the following to /etc/selinux/semanage.conf and it will use the > alternate script instead of the standard > > > [genhomedircon] > path = /usr/local/sbin/genhomedircon_modified args = -t $@ > [end] > > > > > [genhomedircon] > path = /usr/bin/true args = -t $@ > [end] > > would cause it to always succeed and do nothing. ( I think.) > > -- Thanks Daniel. I just updated the original script itself. But as you said, an update on policycoreutils will make my changes go away. So, I will stick to using a custon script and editing semanage.conf. The other method of using /usr/bin/true didn't work for me :( -- BSD -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
