Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 159315 - If user's home dirs are in /var/home fixfiles will label them var_t
Summary: If user's home dirs are in /var/home fixfiles will label them var_t
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 3
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-01 16:52 UTC by Tomasz Ostrowski
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-09-27 20:05:26 UTC


Attachments (Terms of Use)

Description Tomasz Ostrowski 2005-06-01 16:52:35 UTC
Description of problem:
I'm using 2 partitions in my systems: / and /var. I don't want to have user's
home dirs on / partition so I set default home directory parent to /var/home

Because ordinary user home directories definitions
    HOME_ROOT               -d      system_u:object_r:home_root_t
    HOME_DIR                -d      system_u:object_r:ROLE_home_dir_t
    HOME_DIR/.+                     system_u:object_r:ROLE_home_t
are in top part of types.fc so they are overwritten by following entry:
    /var(/.*)?                      system_u:object_r:var_t
and fixfiles sets them to var_t context.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-sources-1.17.30-2.96

How reproducible:
Always

Steps to Reproduce:
1. mkdir /var/home
2. useradd -D -b /var/home
3. useradd -c "Test User" test
4. fixfiles check /var/home/test

Actual results:
/sbin/restorecon reset context
/var/home/test:root:object_r:user_home_dir_t->system_u:object_r:var_t
/sbin/restorecon reset context
/var/home/test/.bash_logout:root:object_r:user_home_t->system_u:object_r:var_t
/sbin/restorecon reset context
/var/home/test/.bashrc:root:object_r:user_home_t->system_u:object_r:var_t
/sbin/restorecon reset context
/var/home/test/.bash_profile:root:object_r:user_home_t->system_u:object_r:var_t

Expected results:
no output from fixfiles

Additional info:
I'd suggest moving ordinary user home directories definitions to the bottom of
types.fc

This will also be problem with strict policy, I think.

Comment 1 Daniel Walsh 2005-06-08 13:13:12 UTC
What does genhomedircon produce?

This is fixed in FC4, BTW.  But not sure what the outcome would be in FC3.

Does /var/home exist in /etc/selinux/targeted/contexts/files/file_contexts?

Comment 2 Tomasz Ostrowski 2005-06-08 13:50:43 UTC
genhomedircon does not produce any output and returns succesfully with
/var/home/test set to root:object_r:var_t or root:object_r:user_home_dir_t

root@korweta:~# grep home /etc/selinux/targeted/contexts/files/file_contexts
# Ordinary user home directories.
# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd
# HOME_DIR expands to each user's home directory,
/var/home               -d      system_u:object_r:home_root_t
/var/home/[^/]+         -d      system_u:object_r:user_home_dir_t
/var/home/[^/]+/.+                      system_u:object_r:user_home_t
/var/home/\.journal             <<none>>
/var/home/lost\+found(/.*)?     system_u:object_r:lost_found_t
/var/home/[^/]+/((www)|(web)|(public_html))(/.+)?
system_u:object_r:httpd_user_content_t
/root           -d      root:object_r:user_home_dir_t
/root/.+                        root:object_r:user_home_t


Comment 3 Daniel Walsh 2005-06-08 14:35:22 UTC
Ok, could you try

1. mkdir /var/home
2. useradd -D -b /var/home
3. genhomedircon
4. restorecon -R -v /var/home
5. useradd -c "Test User" test


Comment 4 Tomasz Ostrowski 2005-06-08 15:44:40 UTC
1. mkdir /var/home
#ls -ldZ /var/home
drwxr-xr-x  root     root     system_u:object_r:var_t          /var/home/

2. useradd -D -b /var/home
useradd -D
GROUP=100
HOME=/var/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel

3. genhomedircon
#ls -ldZ /var/home
drwxr-xr-x  root     root     system_u:object_r:var_t          /var/home/

4. restorecon -R -v /var/home
restorecon reset context
/var/home:system_u:object_r:var_t->system_u:object_r:home_root_t
#ls -ldZ /var/home
drwxr-xr-x  root     root     system_u:object_r:home_root_t    /var/home/

5. useradd -c "Test User" test
#ls -ldZ /var/home/test
drwx------  test     test     root:object_r:user_home_dir_t    /var/home/test/
#fixfiles check /var/home
/sbin/restorecon reset context
/var/home/test:root:object_r:user_home_dir_t->system_u:object_r:var_t
/sbin/restorecon reset context
/var/home/test/.bash_logout:root:object_r:user_home_t->system_u:object_r:var_t
/sbin/restorecon reset context
/var/home/test/.bashrc:root:object_r:user_home_t->system_u:object_r:var_t
/sbin/restorecon reset context
/var/home/test/.bash_profile:root:object_r:user_home_t->system_u:object_r:var_t
#restorecon -R -v /var/home
restorecon reset context
/var/home/test:root:object_r:user_home_dir_t->system_u:object_r:var_t
restorecon reset context
/var/home/test/.bash_logout:root:object_r:user_home_t->system_u:object_r:var_t
restorecon reset context
/var/home/test/.bashrc:root:object_r:user_home_t->system_u:object_r:var_t
restorecon reset context
/var/home/test/.bash_profile:root:object_r:user_home_t->system_u:object_r:var_t
#ls -ldZ /var/home/test
drwx------  test     test     system_u:object_r:var_t          /var/home/test/

Not good


Comment 5 Daniel Walsh 2005-09-27 20:05:26 UTC
Fixed in FC4.  We redesigned the way homedirs are handled.


Note You need to log in before you can comment on or make changes to this bug.