Bugs, features, or misunderstandings?
Colin Walters
walters at redhat.com
Fri Apr 2 00:06:49 UTC 2004
On Thu, 2004-04-01 at 17:15, murphy pope wrote:
> How can I create a new Linux user account such that the home directory
> is assigned the proper context?
>
> I want to create a new user (fred).
> I want fred's home directory to he located in the default location
> (/home/fred).
> And I want the context for /home/fred to be:
> fred:user_r:user_home_dir_t.
>
> useradd doesn't work. It seems to have two problems:
> 1) If my context (when I run useradd fred) is
> root:staff_r:staff_t, useradd sets the home directory to
> root:object_r:home_root_t.
Basically don't run useradd (or do anything that in typical Linux/Unix
requires "root") as staff_r. It's the loseness of the FC2 policy that
lets it even halfway work.
> 2) If my context is root:sysadm_r:sysadm_t, useradd sets the
> home directory to root:object_r:user_home_dir_t
>
> Item 1 seems like a bug - why would it choose :home_root_t instead of
> :user_home_dir_t?
> In either case, the identity is wrong.
The identity isn't really wrong in 2. Sure, the SELinux user identity
component of the security context is "root", but that won't matter in
this case, since the user can't relabel their home directory anyways.
> 1) Why is this so bloody difficult? Can you really expect the average
> user/administrator to deal with problems like this?
We're working on a solution.
> 2) How can I create a new user whose home directory is assigned the
> proper identity?
Become root/sysadm_r, and run useradd.
> 3) How can I get a list of valid identities?
By identity I'm assuming you mean security context; you could egrep for
'^type ' in policy.conf I guess...
> 4) Can I add identities with a simple command (i.e. without
> recompiling the policy)?
No.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040401/be860b1d/attachment.sig>
More information about the fedora-selinux-list
mailing list