Mike wrote:
Tim <ignored_mailbox <at> yahoo.com.au> writes:
I would imagine that the SELinux contexts are wrong. They're applied to
expected filepaths (home space contexts for the usual /home/username/
filepaths), I imagine that they won't get applied across symlinks, as
it'd be too easy for someone to symlink non-public system stuff into the
middle of a public area, to try and access it.
Thanks Tim - in fact logging in on the laptop itself is fine - the problem
occurs when logging in via ssh from another machine.
I checked the selinux contexts with ls -Z and the contexts of
/opt/Local/home are different to those of the symlink at /home
how, exactly?
These are the labels on my system (using ls -Z):
/home/* system_u:object_r:user_home_dir_t:s0
/home/USER/* system_u:object_r:user_home_t:s0
/home system_u:object_r:home_root_t:s0
whereas files in /opt/local seem to get labelled like this:
/opt/local/* unconfined_u:object_r:usr_t:s0
or this system_u:object_r:usr_t:s0
(depends on how they were created IIRC)
have you tried relabelling the homedirs and their contents in
/opt/local/home appropriately?
Yes the user area is then (via the symlink) /home/username and as I said
works fine for login on the machine itself.
I tried changing the context of the symlink using chcon but it would not
allow me to change the link (as root) - however I have also read that for
some circumstances it may be necessary to use the "newrole" command as
root - but I am groping in the dark with this as I am not knowledgeable
about when this is appropriate.
what did you try to change it to?
did you try chcon on the files in /opt
(the following is by no means complete) -
chcon -t home_root_t /opt/local/home
chcon -t home_dir_t /opt/local/home/*
chcon -R -t user_home_t /opt/local/home/USER/*
for starters.
when you ssh in, are you sure it's an selinux problem?
for more useful messages, try this:
1. yum install setroubleshoot
2. service setroubleshoot start
3. then ssh in
4. look in /var/log/messages on your machine for lines containing 'sealert'
(or just run sealert -b if you have a graphical desktop)
5. see if there are complaints about mislabelled files/dirs.
6. let us know what the error messages are. We can be of more help that
way. Everything we do at the moment is little more than educated guesswork.
Do you know of any links to a "getting started understanding SELinux"
type of guide?
The Red Hat SELinux guide might be helpful.
http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/selg-overview.html
as might the various docs here:
http://fedoraproject.org/wiki/SELinux
The contexts for the files in the non-root partition appear to be set OK
what are they set to?
ls -Z /opt/local/home/*
and it looks like it is the symlink that is causing the problem. So far I
can use the applications as normal (i.e. as before) apart from this one
problem.
I have yet to explore whether there will be problems with dovecot if
the mail area is symlinked (again normal previous practice for me with
SELinux disabled previously)
symlinked from where? /opt again?
Stuart
--
Stuart Sears RHCA etc.
"It's today!" said Piglet.
"My favourite day," said Pooh.
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
