#4118 Doesn't set the right SELinux context for users' homedir


Having a Linux server with SELinux working (in enforcing mode), when you add a new user SELinux context of user's homedir is unconfined_u:object_r:home_root_t:s0, so it's not possible to access it because it should be unconfined_u:object_r:user_home_dir_t:s0.
The way to solve it is making a "restorecon homedir".


  • Jamie Cameron

    Jamie Cameron - 2012-07-19

    Which Linux distribution and version are you seeing this on?

  • José Antonio Caminero Granja

    CentOS 6.2

  • Jamie Cameron

    Jamie Cameron - 2012-09-17

    You can actually control the SElinux context Webmin sets on the home directory, by clicking on the Module Config link on the main page of the Users and Groups module, and changing the "SElinux context for new home directories" field.

    However, the default probably should be fixed. Which Linux distribution and version are you running there?

  • Jamie Cameron

    Jamie Cameron - 2012-09-17

    Sorry, just realized that you supplied the Linux distribution already.

    So on CentOS, Webmin by default sets the content on new home directories to : user_u:object_r:user_home_dir_t

  • Comment has been marked as spam. 

    You can see all pending comments posted by this user  here

    Anonymous - 2013-04-10

    I found that in CentOS 6.4 (and perhaps this is true in 6.2) you MUST change the "SElinux context for new home directories" setting in Webmin (1.620) Users and Groups module configuration to "System" as the default value adheres to an older policy model. An alternative would be to append ":0" to the end of "user_u:object_r:user_home_dir_t" as contexts are now numbered. When the last two characters are missing somehow home_root_t gets set. But really, you should use the System setting because the "user_u" would be a custom context for a home directory that wouldn't survive a "restorecon" or a system relabel since the default contexts are different now (see /etc/selinux/targeted/contexts/files/file_contexts.homedirs). That is unless you were to change the default context using semanage. But, again, you'd be swimming uphill as I'm presuming the developers of the SELinux security model in CentOS 6.x had a reason for overhauling the contexts (at least in Targeted mode) and arranging it as it is now. It would be better if Webmin simply changed their default setting to "System". Otherwise software that relies on the default security context for home directories, such as Dovecot, could (and in my case do) malfunction when interacting with subdirectories within /home.

    Last edit: Anonymous 2013-10-20

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks