SElinux concerning symlink?
Stuart Sears
stuart at sjsears.com
Thu Jul 24 23:00:33 UTC 2008
Todd Denniston wrote:
[ edited. Any context errors resulting are all mine :) ]
> I can agree with that, but how do you convince SEL that you desire
> /rootlockeddown/<user>/authorized_keys to be a valid place for sshd
> to read? note /rootlockeddown/ is not where home directories are, it
> is where the admin approved keys are after the admin sets in
> sshd_config: AuthorizedKeysFile /rootlockeddown/%u/authorized_keys
you can use semanage to add extra path->context mappings to your policy
(You could do this in a policy module too, if you need to apply the same
settings to many systems)
something like this... (the path regex may not be perfect. It's late here)
semanage fcontext -a -f -- -t user_home_t '/rootlockeddown/[^/]*/.+'
semanage --help or man semanage might help there.
It also helps if you understand how file labels are decided when new
files are created in (or plain cp'd into) a directory:
1. if there is a rule in policy that describes how particular files
should be labelled, use that
Otherwise
2. files (and sudbirs) inherit the label of their parent directory.
so realistically, you could just ensure that you label
/rootlockeddown/USER as user_home_dir_t.
The semanage option is (arguably) better though.
Incidentally, if you mv (or cp -a) files from one dir to another, they
take their original labels with them. This bites people a lot.
Stuart
--
Stuart Sears RHCA etc.
"It's today!" said Piglet.
"My favourite day," said Pooh.
More information about the fedora-list
mailing list