On 02/15/2010 01:27 PM, Scott Salley wrote:
I'm working on a set of patches to integrate Likewise Open (Active Directory authentication for Unix/Linux/Mac) into Fedora/SELinux.
I am having trouble defining how a user's home directory should be handled.
We don't place users directly in /home as the domain user account
name
may conflict with an existing account. Instead, we use /home/%D/%U where %D is the domain and %U is the user account. (We may have
users
with the same account name in different domains.)
I want to make sure that if users are joined while SELinux is not enabled, and then SELinux is re-enabled, the files get the proper contexts.
Do you know the name of all domains?
In Fedora 12
for d in $DOMAINS; do semanage fcontext -a -e /home /home/$d done
I don't know the names of all the domains ahead of time, but I can call semanage with those arguments as we set up a user's environment. I already tried running semanage twice with the same arguments for adding the equivalence and it correctly errors out.
I've now run into this message:
type=AVC msg=audit(1266523695.550:22225): avc: denied { relabelto } for pid=3158 comm="lsassd" name="CORPQA" dev=dm-0 ino=195681 scontext=unconfined_u:system_r:lsassd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL msg=audit(1266523695.550:22225): arch=c000003e syscall=188 success=yes exit=0 a0=7fab640399f0 a1=3ea9415649 a2=7fab64027990 a3=21 items=0 ppid=2790 pid=3158 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lsassd" exe="/usr/sbin/lsassd" subj=unconfined_u:system_r:lsassd_t:s0 key=(null)
which does not go away with the addition of this rule:
allow lsassd_t home_root_t:dir relabelto;
Is there something special for 'relabelto' or 'home_root_t' that I'm not aware of? (I'm trying to create /home/DOMAIN and apply the appropriate label on /home/DOMAIN via matchpathcon/setfilecon).