bind-mounted homedirs

Daniel J Walsh dwalsh at redhat.com
Tue Jan 27 14:01:12 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Howarth wrote:
> On Mon, 26 Jan 2009 15:18:05 -0500
> Daniel J Walsh <dwalsh at redhat.com> wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Paul Howarth wrote:
>>> On a RHEL 5 server I have bind-mounted home directories, where the
>>> data on the server actually lives in /srv/homes but this is
>>> bind-mounted to /nis-home. The user home directories in LDAP refer
>>> to the /nis-home locations.
>>>
>>> When I updated to the 5.3 selinux policy, everything
>>> under /srv/homes got relabelled based on the /srv/homes pathname
>>> rather than the /nis-home pathname. What would be the best way of
>>> preventing this from happening in the future?
>>>
>>> Paul.
>>>
>>> -- 
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> You can setup the labeling using semanage.
>>
>>
>> semanage fcontext -a -t home_root_t /srv/homes
>> semanage fcontext -a -t user_home_dir_t -f-d '/srv/homes/[^/]*'
>> semanage fcontext -a -t user_home_t '/srv/homes/[^/]*/.+'
> 
> That gets the majority of things right but misses things like
> ~/.spamassassin (spamassassin_home_t).
> 
> Is there a way of seeing the full set of homedir contexts that would
> include additions from local policy modules? At least with that I'd be
> able to replicate them to /srv/homes/
> 
> Paul.
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

I attempted to open a discussion on what you are trying to do on this
list a couple of weekes ago,

You could do some sed/shell magic with the

/etc/selinux/targeted/modules/active/homedir_template

File, but I think the solution is to be able to add alternative roots in
 the libsemanage.conf file and have it do the labeling for you.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkl/E6gACgkQrlYvE4MpobMyHgCfe3u9QgrZ2+L4bvTwScgJnDt8
cgcAoNT/tw3Nw5u3y921rP975oVzq0T9
=lawI
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list