#4118 Doesn't set the right SELinux context for users' homedir

open
Jamie Cameron
5
2012-07-17
2012-07-17
No

Having a Linux server with SELinux working (in enforcing mode), when you add a new user SELinux context of user's homedir is unconfined_u:object_r:home_root_t:s0, so it's not possible to access it because it should be unconfined_u:object_r:user_home_dir_t:s0.
The way to solve it is making a "restorecon homedir".

Discussion

  • Jamie Cameron
    Jamie Cameron
    2012-07-19

    Which Linux distribution and version are you seeing this on?

     
  • CentOS 6.2

     
  • Jamie Cameron
    Jamie Cameron
    2012-09-17

    You can actually control the SElinux context Webmin sets on the home directory, by clicking on the Module Config link on the main page of the Users and Groups module, and changing the "SElinux context for new home directories" field.

    However, the default probably should be fixed. Which Linux distribution and version are you running there?

     
  • Jamie Cameron
    Jamie Cameron
    2012-09-17

    Sorry, just realized that you supplied the Linux distribution already.

    So on CentOS, Webmin by default sets the content on new home directories to : user_u:object_r:user_home_dir_t

     

  • Anonymous
    2013-04-10

    I found that in CentOS 6.4 (and perhaps this is true in 6.2) you MUST change the "SElinux context for new home directories" setting in Webmin (1.620) Users and Groups module configuration to "System" as the default value adheres to an older policy model. An alternative would be to append ":0" to the end of "user_u:object_r:user_home_dir_t" as contexts are now numbered. When the last two characters are missing somehow home_root_t gets set. But really, you should use the System setting because the "user_u" would be a custom context for a home directory that wouldn't survive a "restorecon" or a system relabel since the default contexts are different now (see /etc/selinux/targeted/contexts/files/file_contexts.homedirs). That is unless you were to change the default context using semanage. But, again, you'd be swimming uphill as I'm presuming the developers of the SELinux security model in CentOS 6.x had a reason for overhauling the contexts (at least in Targeted mode) and arranging it as it is now. It would be better if Webmin simply changed their default setting to "System". Otherwise software that relies on the default security context for home directories, such as Dovecot, could (and in my case do) malfunction when interacting with subdirectories within /home.

     
    Last edit: Anonymous 2013-10-20