Hi, folks.
In our laboratory, we have an NIS / automounted NFS environment in which every NIS user gets placed under an automounted /home.
For one of our users on Fedora 20, I'm attempting to give him an auxiliary local account whose home directory is mounted under /local-home/, and I'm trying to figure out how to tell SELinux that everything under /local-home should be treated analogously to how it would be treated under /home.
Unfortunately, I've not yet figured out the magic incantation to do this.
I found /etc/selinux/targeted/contexts/files/file_contexts.homedirs, and I was able to copy that and sed it with s//home//local-home/, after which I could then do a setfiles on my copy to set the appropriate labels on his existing /local-home/username directory, but this is obviously just temporarily curing the symptom rather than fixing the policy appropriately for local accounts going forward.
I expect that there are policy editing tools that I could use to fix the policy up, for all pre-defined file contexts, but I don't know how to do that efficiently.
Nor do I know how to arrange things so that third party policy modules that might be installed later (like for Google's Chrome RPM?) would inherit the new file_context rules for /local-home appropriately.
Any hints would be extremely helpful.
Thanks,
Jon
On 03/28/2014 05:48 PM, Jonathan Abbey wrote:
Hi, folks.
In our laboratory, we have an NIS / automounted NFS environment in which every NIS user gets placed under an automounted /home.
For one of our users on Fedora 20, I'm attempting to give him an auxiliary local account whose home directory is mounted under /local-home/, and I'm trying to figure out how to tell SELinux that everything under /local-home should be treated analogously to how it would be treated under /home.
Unfortunately, I've not yet figured out the magic incantation to do this.
I found /etc/selinux/targeted/contexts/files/file_contexts.homedirs, and I was able to copy that and sed it with s//home//local-home/, after which I could then do a setfiles on my copy to set the appropriate labels on his existing /local-home/username directory, but this is obviously just temporarily curing the symptom rather than fixing the policy appropriately for local accounts going forward.
I expect that there are policy editing tools that I could use to fix the policy up, for all pre-defined file contexts, but I don't know how to do that efficiently.
Nor do I know how to arrange things so that third party policy modules that might be installed later (like for Google's Chrome RPM?) would inherit the new file_context rules for /local-home appropriately.
Any hints would be extremely helpful.
Thanks,
Jon
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
If his directory is going to be a subdir of /local-home Then just do
# semanage fcontext -a -e /home /local-home # restorecon -R -v /local-home
If his homedir is /local-home then you need to get creative
# semanage fcontext -a -e /home/foobar /local-home # restorecon -R -v /local-home
Should get you the correct labels.
On Sun, 30 Mar 2014 13:37:27 -0500, Daniel J Walsh wrote:
| If his directory is going to be a subdir of /local-home Then just do | | # semanage fcontext -a -e /home /local-home | # restorecon -R -v /local-home
Ah, brilliant, that's the perfect incantation for my case, all ready-made.
Kudos for implementing that, and thanks!
Jon
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Jonathan Abbey