On Wed, 2008-07-23 at 21:36 +0000, Mike wrote: > I have just done a clean f9 install on a laptop where the user areas are > on a separate partition (/opt/Local/home) on the HD. > > Having left SELinux on after the install I did my usual post-install > change of doing as root: > cd / > mv home home.dist > ln -s /opt/Local/home . > > Now /home is a symlink to /opt/Local/home > > I can now login as a normal user..... BUT > > If I now ssh into the machine from another machine on the network > I find that I cannot get the home directory for that user! > > The message is: > Last login: Wed Jul 23 21:32:14 2008 from bla.bla.com > Could not chdir to home directory /home/username: Permission denied > [username@localhost /]$ > > I am presuming that this is an SELinux denial... even though it > does not say so explicitely. Look in the audit logs to see what SELinux thinks about it (/var/log/audit/). > I have read that there are difficulties with symlinks in SELinux > and I wondered if someone who has been through this could advise? I would imagine that the SELinux contexts are wrong. They're applied to expected filepaths (home space contexts for the usual /home/username/ filepaths), I imagine that they won't get applied across symlinks, as it'd be too easy for someone to symlink non-public system stuff into the middle of a public area, to try and access it. > I have heard that replacing a symlink with a bind mount will make > an improvement - If your homespace is mounted onto the normal Fedora location for home spaces (/home/username), then the usual contexts will be applied automatically, and things should just work. If you put your homespace elsewhere, you'd have to manually reset the contexts, and perhaps keep on having to reset them as new files were created in your homespace. Just a quick bit of searching around suggests that you use "bind" as the options for the mount in the fstab file. But I haven't verified this. e.g. /opt/Local/home /home none bind -- (This computer runs Fedora 7, my others run 4, 6 & 9, & CentOS 5, all using Gnome in case that's important to the thread.) Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
