Stuart Sears wrote, On 07/24/2008 07:00 PM:
Todd Denniston wrote:
[ edited. Any context errors resulting are all mine :) ]
I can agree with that, but how do you convince SEL that you desire
/rootlockeddown/<user>/authorized_keys to be a valid place for sshd
to read? note /rootlockeddown/ is not where home directories are, it
is where the admin approved keys are after the admin sets in
sshd_config: AuthorizedKeysFile /rootlockeddown/%u/authorized_keys
you can use semanage to add extra path->context mappings to your policy
(You could do this in a policy module too, if you need to apply the same
settings to many systems)
something like this... (the path regex may not be perfect. It's late here)
semanage fcontext -a -f -- -t user_home_t '/rootlockeddown/[^/]*/.+'
semanage --help or man semanage might help there.
It also helps if you understand how file labels are decided when new
files are created in (or plain cp'd into) a directory:
1. if there is a rule in policy that describes how particular files
should be labelled, use that
Otherwise
2. files (and sudbirs) inherit the label of their parent directory.
so realistically, you could just ensure that you label
/rootlockeddown/USER as user_home_dir_t.
The semanage option is (arguably) better though.
Incidentally, if you mv (or cp -a) files from one dir to another, they
take their original labels with them. This bites people a lot.
Stuart
Thanks for the recipe.
if /rootlockeddown/ is on NFS, would the following command do part of what is
needed? (yet more complexity, but then we do have a real world to live in :)
setsebool -P use_nfs_home_dirs=1
--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
