Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   Set context for NFS mounted homes (http://www.linux-archive.org/fedora-selinux-support/372886-set-context-nfs-mounted-homes.html)

"Andrew R. Fore" 05-18-2010 08:08 PM

Set context for NFS mounted homes
 
I am having an issue setting the context for NFS mounted homes. I have set the mode to enforcing as well as enabling the booleans for support of NFS home directories. My homes mount and my NIS users can authenticate and see them with no problem.

The issue at hand is the following report from the AVC Alert service (note: I have obscured the real hostname in this e-mail):

+++

SELinux is preventing the restorecond from using potentially mislabeled files
(arfore).

Detailed Description:

SELinux has denied restorecond access to potentially mislabeled file(s)
(arfore). This means that SELinux will not allow restorecond to use these files.
It is common for users to edit files in their home directory or tmp directories
and then move (mv) them to system directories. The problem is that the files end
up with the wrong file context which confined applications are not allowed to
access.

Allowing Access:

If you want restorecond to access this files, you need to relabel them using
restorecon -v 'arfore'. You might want to relabel the entire directory using
restorecon -R -v '<Unknown>'.

Additional Information:

Source Context system_u:system_r:restorecond_t
Target Context user_u:object_r:user_home_t
Target Objects arfore [ lnk_file ]
Source restorecond
Source Path /usr/sbin/restorecond
Port <Unknown>
Host xxx.xxxx.xxx
Source RPM Packages policycoreutils-1.33.12-14.8.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-279.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name home_tmp_bad_labels
Host Name xxx.xxxx.xxx
Platform Linux xxx.xxxx.xxx 2.6.18-194.3.1.el5 #1 SMP
Sun May 2 04:17:42 EDT 2010 x86_64 x86_64
Alert Count 29
First Seen Tue May 18 15:05:01 2010
Last Seen Tue May 18 15:39:31 2010
Local ID b41fdf79-19aa-4899-8f9f-6449124e61af
Line Numbers

Raw Audit Messages

host=xxx.xxxx.xxx type=AVC msg=audit(1274211571.669:196): avc: denied { read } for pid=2647 comm="restorecond" name="arfore" dev=0:19 ino=24714112 scontext=system_u:system_r:restorecond_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=lnk_file

host=xxx.xxxx.xxx type=SYSCALL msg=audit(1274211571.669:196): arch=c000003e syscall=2 success=no exit=-13 a0=2b19408731e0 a1=20000 a2=0 a3=0 items=0 ppid=1 pid=2647 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecond" exe="/usr/sbin/restorecond" subj=system_u:system_r:restorecond_t:s0 key=(null)

+++

I have tried mounting the filesystem two different ways in an attempt to specify the desired context:

Manually:

mount -t nfs -o context=user_u:object_r:user_home_t SERVER_IP_HERE:/webroot/home /home

/etc/fstab

SERVER_IP_HERE:/webroot/home /home nfs context="user_u:object_r:user_home_t:s0" 0 0

In both cases the file context is displayed as desired when running "ls -laZ" on my user home directory:

-rw-r--r-- arfore cs user_u:object_r:user_home_t .bash_login

However, after logging in via SSH I receive quite a few instances of the alert I listed above.

I understand that the long term solution would be to appropriately label each file/directory on the mounted filespace, however at the moment this is not an option since we are still running two production Solaris 10 webservers that mount the same content.

Thanks,
Andy Fore

------

Andrew R. Fore
Systems Services Associate
Valdosta State University
Ph.: 229-333-7315
Fax: 229-333-4349
Email: arfore@valdosta.edu

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 06:41 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.