[redhat-lspp] LSPP kickstart config v0.19 released
Klaus Weidner
klaus at atsec.com
Tue Feb 13 04:56:05 UTC 2007
On Fri, Feb 09, 2007 at 04:37:42PM -0500, Linda Knippers wrote:
> Hi Klaus,
>
> > Simplify admin account creation, work around autorelabel $HOME issues
>
> I don't think this works. I think the useradd command isn't doing what
> we expect. With a command like this (taken right out of the ks script):
> useradd -m -c "ljk2" -G wheel -Z staff_u ljk2
> I end up with an ljk2 user that is staff_u:s0 (note s0) in
> /etc/selinux/mls/seusers.
>
> The home directory is labeled:
> user_u:object_r:user_home_dir_t:SystemLow-SystemHigh
>
> If I do a restorecon -v I get this:
> restorecon reset /home/ljk2 context
> user_u:object_r:user_home_dir_t:s0-s15:c0.c1023->staff_u:object_r:staff_home_dir_t:s0-s15:c0.c1023
>
> There's a comment in the ks script:
> # no need to set MLS level,
> # staff_u defaults to SystemLow-SystemHigh range
> But that doesn't seem to be the case.
>
> If staff_u is supposed to default to SystemLow-SystemHigh then useradd isn't
> doing the right thing when it creates the selinux user and it doesn't seem to
> be creating the home directory with the right context.
>
> Should I open a new bugzilla or does Dan think we need the semanage and
> restorecon no matter what?
I'm adding the semanage and restorecon again. If they are redundant due
to other tool fixes we can always remove them again, but they shouldn't
hurt.
-Klaus
More information about the redhat-lspp
mailing list