LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices

Reply
 
Search this Thread
Old 02-15-2010, 02:49 PM   #1
RichyAD
LQ Newbie
 
Registered: Sep 2008
Location: Porto, Portugal
Distribution: Fedora 9-16, Linux Mint
Posts: 28

Rep: Reputation: 0
Fedora 12 SELinux context not updated when changing a user's home directory


I was setting up a Samba server and I ran into some problems with SELinux related to the context of the home directories.

I made a user account, say "UserAccount", with a default home directory "home/UserAccount". Afterwards I realized that I needed to move the home directory of this particular user to another location, say "/home2/UserAccount". So I created the new directory, changed the permissions, and used Gnome's system-config-user to change the user's home directory.

I then set-up the Samba server, activated samba_run_unconfined and samba_enable_home_dirs in SELinux, and made an account for UserAccount.

When testing the Samba account for UserAccount SELinux denied read access. I checked the context and the new home directory did not appeared to have been updated. I had to manually run:

restorecon -R -v /home2/UserAccount

to set the context on the new home directory.

I'm not very familiar with SELinux, so my question is this: is this normal security policy or is a bug in the system-config-user tool? If it's normal policy can someone explain why? I'm always ready to learn ...

Distro: Fedora 12 (kernel: 2.6.31.5-127.fc12.i686)
System: Dual Intel Xeon @ 3.2 GHz, 1 GB RAM

Last edited by RichyAD; 02-15-2010 at 02:51 PM.
 
Old 02-17-2010, 12:13 AM   #2
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , Solaris 10, RHEL
Posts: 1,933
Blog Entries: 1

Rep: Reputation: 188Reputation: 188
Quote:
Originally Posted by RichyAD View Post
I was setting up a Samba server and I ran into some problems with SELinux related to the context of the home directories.

I made a user account, say "UserAccount", with a default home directory "home/UserAccount". Afterwards I realized that I needed to move the home directory of this particular user to another location, say "/home2/UserAccount". So I created the new directory, changed the permissions, and used Gnome's system-config-user to change the user's home directory.

I then set-up the Samba server, activated samba_run_unconfined and samba_enable_home_dirs in SELinux, and made an account for UserAccount.

When testing the Samba account for UserAccount SELinux denied read access. I checked the context and the new home directory did not appeared to have been updated. I had to manually run:

restorecon -R -v /home2/UserAccount

to set the context on the new home directory.

I'm not very familiar with SELinux, so my question is this: is this normal security policy or is a bug in the system-config-user tool? If it's normal policy can someone explain why? I'm always ready to learn ...

Distro: Fedora 12 (kernel: 2.6.31.5-127.fc12.i686)
System: Dual Intel Xeon @ 3.2 GHz, 1 GB RAM
Whats the output of...

Code:
ls -lZ /home2/UserAccount
You MIGHT have to do a...
Code:
chcon -R -t samba_share_t /home2/UserAccount
 
Old 02-18-2010, 05:22 AM   #3
RichyAD
LQ Newbie
 
Registered: Sep 2008
Location: Porto, Portugal
Distribution: Fedora 9-16, Linux Mint
Posts: 28

Original Poster
Rep: Reputation: 0
Thx for the reply custangro.

I may not have been clear in my previous post, but I did already solve the access problem. The thing that I wanted to know is why I had to manually restore/update the context of the new home directory (using restorecon).

I'm not an expert so it took me a while to find out what was wrong. It seems that the system-config-user tool already sets the correct context. It simply does not update the new context automatically.

So my question is: why? Would this be a security risk? If so, why not present the user with a warning message? Or is it simply a bug in the tool that I should report?

And just to be clear:

Quote:
Originally Posted by custangro View Post
Whats the output of...
Code:
ls -lZ /home2/UserAccount
After I performed the restorecon on the new home directory everything was OK. The folder now has the user_home context:

Code:
drwxr-xr-x. UserAccount UserAccount unconfined_u:object_r:user_home_t:s0 Folder
Quote:
Originally Posted by custangro View Post
You MIGHT have to do a...
Code:
chcon -R -t samba_share_t /home2/UserAccount
That was not necessary because system-config-user already added the user_home context. And since I have home directory sharing switched on in Samba and I have given it the correct permission in selinux, it works fine, after restoring/updating the context.
 
Old 02-18-2010, 01:23 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,005
Blog Entries: 54

Rep: Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763
Quote:
Originally Posted by RichyAD View Post
I made a user account, say "UserAccount", with a default home directory "home/UserAccount". Afterwards I realized that I needed to move the home directory of this particular user to another location, say "/home2/UserAccount". So I created the new directory, changed the permissions, and used Gnome's system-config-user to change the user's home directory.
If an account is created using the standard system administration utilities like {group,user}-add then the right context will be set. system-config-users is used for adding and removing users and groups to the system (as in user-add, group-add, chage and not chcon unless I'm mistaken) so changing aspects outside the scope of that kind of user management, or manually creating directories(?) (and moving files?) as root account user overrides any previously set contexts. Given the scope of those tools I'd agree a manual 'chcon' would be in order and having to perform it looks procedurally right to me.
 
Old 02-21-2010, 05:10 PM   #5
RichyAD
LQ Newbie
 
Registered: Sep 2008
Location: Porto, Portugal
Distribution: Fedora 9-16, Linux Mint
Posts: 28

Original Poster
Rep: Reputation: 0
I understand what you're saying unSpawn. But it seems to me that if the system-config-users tool allows me to make changes to a user account (not just add/remove), it should not do only half of the job and not set the correct context. But perhaps the same happens when using usermod -d [new dir] (without the -m option)? I'll check that.

Any way, I think I'll stick with the command line tools to better understand the steps involved and prevent this type of things from happening again.

Thanks for taking the time to reply.

Last edited by RichyAD; 02-21-2010 at 05:18 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
User's home directory siva19185 Linux - Newbie 1 07-02-2008 04:22 AM
Not able to go to other user's home directory biswajit_dey Linux - Software 6 07-21-2005 08:14 AM
Changing user's home directory? HOW barton Debian 10 04-04-2005 02:27 AM
changing user's default ftp home location GraemeK Linux - Networking 0 12-31-2003 12:11 PM
how to change a user's Home directory n1wil Linux - General 8 08-24-2002 03:22 PM


All times are GMT -5. The time now is 06:54 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration