[lug] Fedora 26 SELinux: Migrating Home Partition
stimits at comcast.net
stimits at comcast.net
Fri Jul 14 09:39:32 MDT 2017
Hi,
I did actually manage to recover my previously botched home partition resize...since I had thought I'd lost it I went ahead and played around more with lvm archives and manual use of fsck. I ended up getting everything back 100% :)
Even so, I had started installing Fedora 25...but two days later Fedora 26 became available, so since I'd recovered my old Fedora 23 home I had both my good/working Fedora 23 plus the new install. I went ahead and replaced the Fedora 25 with Fedora 26 (KDE spin). Everything works normally on Fedora 23. Things almost work with Fedora 26...
I did create all user/group accounts with exactly the same UID/GID between the original Fedora 23 and 26. Originally the GID was different because I had added supplemental group membership during the install. My user is supposed to be UID/GID of 1000/1000, but GID had incremented because supplemental groups were created before primary group...I had to go through and usermod and groupmod to move the supplemental groups to a higher GID and put my user's primary group back to 1000. Then I used "find" to manually change the group of those supplemental groups. I was very thorough about this and there is no chance I missed anything anywhere on any file system (in part this is because there were almost no files for supplemental groups...I use that for development and it isn't part of the system except for one serial port).
Now I can mount the home LVM partition and my user with 1000/1000 UID/GID can correctly access everything. Except at login. It seems there is an SElinux issue...but only at the moment of login.
If I mount this partition on "/home", and boot to console mode, initial login fails and the error message says I can't cd to my home directory because of permission denied (it puts me in "/"). The mount point is the correct permission. The directory and all subdirectories are the correct permissions. If I "cd" it works just fine to get to "/home/myuser". I can cd in and out just fine. Nothing stops me from reaching 100% of all content in this LVM partition mounted on "/home". Except at initial login...at no other time is there ever any issue. The file system is far from full, the "/var/log/btmp" file (and everything simple I can think of) is fine.
So looking in "/var/log/messages" I noticed SElinux permission denial. It looks like this:
Jul 14 07:16:07 localhost audit: AVC avc: denied { search } for pid=2586 comm="login" name="myuser" dev="dm-0" ino=18612225 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
I don't know if "permissive=0" means SElinux is enforcing, but it sounds like it. I believe the dm-0 is because it is LVM on a RAID1 partition where initial login access is denied. Could it be metadata files for RAID or LVM are checked at login and enforced for LVM, yet not checked or enforced after login? It seems like a bug if SElinux enforces at login, then stops enforcing.
In the old days when there was no SElinux (or it was not enforcing) it would be enough to have a separate home partition and mount it on the new system with users/groups matching. Does a home partition now also need SElinux labels matched when transferring a home partition to a new Fedora install? If so, how would I make the partition interchangeable among the Fedora 23 and 26 installs (I assume I'd adjust the label rules and not the home partition labels)?
Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20170714/25eb4caf/attachment.html>
More information about the LUG
mailing list