Fedora 12 SELinux context not updated when changing a user's home directory
FedoraThis forum is for the discussion of the Fedora Project.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Fedora 12 SELinux context not updated when changing a user's home directory
I was setting up a Samba server and I ran into some problems with SELinux related to the context of the home directories.
I made a user account, say "UserAccount", with a default home directory "home/UserAccount". Afterwards I realized that I needed to move the home directory of this particular user to another location, say "/home2/UserAccount". So I created the new directory, changed the permissions, and used Gnome's system-config-user to change the user's home directory.
I then set-up the Samba server, activated samba_run_unconfined and samba_enable_home_dirs in SELinux, and made an account for UserAccount.
When testing the Samba account for UserAccount SELinux denied read access. I checked the context and the new home directory did not appeared to have been updated. I had to manually run:
restorecon -R -v /home2/UserAccount
to set the context on the new home directory.
I'm not very familiar with SELinux, so my question is this: is this normal security policy or is a bug in the system-config-user tool? If it's normal policy can someone explain why? I'm always ready to learn ...
I was setting up a Samba server and I ran into some problems with SELinux related to the context of the home directories.
I made a user account, say "UserAccount", with a default home directory "home/UserAccount". Afterwards I realized that I needed to move the home directory of this particular user to another location, say "/home2/UserAccount". So I created the new directory, changed the permissions, and used Gnome's system-config-user to change the user's home directory.
I then set-up the Samba server, activated samba_run_unconfined and samba_enable_home_dirs in SELinux, and made an account for UserAccount.
When testing the Samba account for UserAccount SELinux denied read access. I checked the context and the new home directory did not appeared to have been updated. I had to manually run:
restorecon -R -v /home2/UserAccount
to set the context on the new home directory.
I'm not very familiar with SELinux, so my question is this: is this normal security policy or is a bug in the system-config-user tool? If it's normal policy can someone explain why? I'm always ready to learn ...
I may not have been clear in my previous post, but I did already solve the access problem. The thing that I wanted to know is why I had to manually restore/update the context of the new home directory (using restorecon).
I'm not an expert so it took me a while to find out what was wrong. It seems that the system-config-user tool already sets the correct context. It simply does not update the new context automatically.
So my question is: why? Would this be a security risk? If so, why not present the user with a warning message? Or is it simply a bug in the tool that I should report?
And just to be clear:
Quote:
Originally Posted by custangro
Whats the output of...
Code:
ls -lZ /home2/UserAccount
After I performed the restorecon on the new home directory everything was OK. The folder now has the user_home context:
That was not necessary because system-config-user already added the user_home context. And since I have home directory sharing switched on in Samba and I have given it the correct permission in selinux, it works fine, after restoring/updating the context.
I made a user account, say "UserAccount", with a default home directory "home/UserAccount". Afterwards I realized that I needed to move the home directory of this particular user to another location, say "/home2/UserAccount". So I created the new directory, changed the permissions, and used Gnome's system-config-user to change the user's home directory.
If an account is created using the standard system administration utilities like {group,user}-add then the right context will be set. system-config-users is used for adding and removing users and groups to the system (as in user-add, group-add, chage and not chcon unless I'm mistaken) so changing aspects outside the scope of that kind of user management, or manually creating directories(?) (and moving files?) as root account user overrides any previously set contexts. Given the scope of those tools I'd agree a manual 'chcon' would be in order and having to perform it looks procedurally right to me.
I understand what you're saying unSpawn. But it seems to me that if the system-config-users tool allows me to make changes to a user account (not just add/remove), it should not do only half of the job and not set the correct context. But perhaps the same happens when using usermod -d [new dir] (without the -m option)? I'll check that.
Any way, I think I'll stick with the command line tools to better understand the steps involved and prevent this type of things from happening again.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.