[refpolicy] home directory user context question

[refpolicy] home directory user context question

[Justin Mattock]

I seem to be doing something wrong with the latest refpolicy
from git with configuring the user/login

I have in policy/users
gen_user(name,system_u, sysadm_r staff_r user_r, s0, s0 -
mls_systemhigh, mcs_allcats)

then after reboot I:
/usr/sbin/semanage login -a -s name:name

heres /usr/sbin/semanage user -l

                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range
SELinux Roles

name          system_u   s0         s0-s0:c0.c255
staff_r user_r sysadm_r
root            sysadm     s0         s0-s0:c0.c255
staff_r sysadm_r
staff_u         staff      s0         s0-s0:c0.c255
staff_r sysadm_r
sysadm_u        sysadm     s0         s0-s0:c0.c255                  sysadm_r
system_u        user       s0         s0-s0:c0.c255                  system_r
unconfined_u    unconfined s0         s0-s0:c0.c255
unconfined_r
user_u          user       s0         s0                             user_r


then /usr/sbin/semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               user_u                    s0
name                    name                    s0
root                      root                      s0-s0:c0.c255
system_u                  system_u                  s0-s0:c0.c255

 for some reason my home directory is stuck with this context:
name:name user:object_r:user_home_t:s0  109 Feb 24 13:52 somefile
                   ^

if I have the system in enforcing mode I can not access any of the files
that have the start of the context "user:"
but if I chcon name:object_r:user_home_t:s0
                      ^
I can access my info or change directories
am I missing something with my setup for user/login
with semanage that gets the contexts to have "user" at
the beginning?

-- 
Justin P. Mattock

[refpolicy] home directory user context question

[Justin P. mattock]

On 02/25/2010 08:14 AM, Alan Rouse wrote:
> Your home directory is labeled "user:" or "user_u" ?
>
> Mine is labeled "user_u:"
>


yeah my mistake it's user_u
(user_u:object_r:user_home_dir_t)
dos this look correct?

or should it be:
name:object_r:user_home_dir_t

Justin P. Mattock

[refpolicy] home directory user context question

[Christopher J. PeBenito]

On Thu, 2010-02-25 at 09:59 -0800, Justin P. mattock wrote:
> On 02/25/2010 08:14 AM, Alan Rouse wrote:
> > Your home directory is labeled "user:" or "user_u" ?
> >
> > Mine is labeled "user_u:"
> 
> yeah my mistake it's user_u
> (user_u:object_r:user_home_dir_t)
> dos this look correct?
> 
> or should it be:
> name:object_r:user_home_dir_t

If you have UBAC enabled, then the seuser of the processes needs to
match the seuser on the contents of your home directory.  So your home
dir should be name:object_r:user_home_dir_t.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] home directory user context question

[Justin P. mattock]

On 02/25/2010 10:10 AM, Christopher J. PeBenito wrote:
> On Thu, 2010-02-25 at 09:59 -0800, Justin P. mattock wrote:
>> On 02/25/2010 08:14 AM, Alan Rouse wrote:
>>> Your home directory is labeled "user:" or "user_u" ?
>>>
>>> Mine is labeled "user_u:"
>>
>> yeah my mistake it's user_u
>> (user_u:object_r:user_home_dir_t)
>> dos this look correct?
>>
>> or should it be:
>> name:object_r:user_home_dir_t
>
> If you have UBAC enabled, then the seuser of the processes needs to
> match the seuser on the contents of your home directory.  So your home
> dir should be name:object_r:user_home_dir_t.
>


yeah that's what I figured.. I'm just hitting some odd
quirk or something to where user_u just stays there,
and "name" doesn't appear until I delete a file in
my home directory i.g. mozilla(for example)
after deleting and restarting things go to "name"



Justin P. Mattock