[lug] Fedora 26 SELinux: Migrating Home Partition

Orion Poplawski orion at cora.nwra.com
Fri Jul 14 09:57:38 MDT 2017


On 07/14/2017 09:39 AM, stimits at comcast.net wrote:
> Hi,
>  
> I did actually manage to recover my previously botched home partition
> resize...since I had thought I'd lost it I went ahead and played around more
> with lvm archives and manual use of fsck. I ended up getting everything back
> 100% :)
>  
> Even so, I had started installing Fedora 25...but two days later Fedora 26
> became available, so since I'd recovered my old Fedora 23 home I had both my
> good/working Fedora 23 plus the new install. I went ahead and replaced the
> Fedora 25 with Fedora 26 (KDE spin). Everything works normally on Fedora 23.
> Things /almost/ work with Fedora 26...
>  
> I did create all user/group accounts with exactly the same UID/GID between the
> original Fedora 23 and 26. Originally the GID was different because I had
> added supplemental group membership during the install. My user is supposed to
> be UID/GID of 1000/1000, but GID had incremented because supplemental groups
> were created before primary group...I had to go through and usermod and
> groupmod to move the supplemental groups to a higher GID and put my user's
> primary group back to 1000. Then I used "find" to manually change the group of
> those supplemental groups. I was very thorough about this and there is no
> chance I missed anything anywhere on any file system (in part this is because
> there were almost no files for supplemental groups...I use that for
> development and it isn't part of the system except for one serial port).
>  
> Now I can mount the home LVM partition and my user with 1000/1000 UID/GID can
> correctly access everything. /Except at login/. It seems there is an SElinux
> issue...but only at the moment of login.
>  
> If I mount this partition on "/home", and boot to console mode, initial login
> fails and the error message says I can't cd to my home directory because of
> permission denied (it puts me in "/"). The mount point is the correct
> permission. The directory and all subdirectories are the correct permissions.
> If I "cd" it works just fine to get to "/home/myuser". I can cd in and out
> just fine. Nothing stops me from reaching 100% of all content in this LVM
> partition mounted on "/home". /Except at initial login/...at no other time is
> there ever any issue. The file system is far from full, the "/var/log/btmp"
> file (and everything simple I can think of) is fine.
>  
> So looking in "/var/log/messages" I noticed SElinux permission denial. It
> looks like this:
> Jul 14 07:16:07 localhost audit: AVC avc:  *denied*  { *search* } for 
> pid=2586 comm="*login*" name="myuser" dev="*dm-0*" ino=18612225
> scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir *permissive=0*
>  
> I don't know if "permissive=0" means SElinux is enforcing, but it sounds like
> it. I believe the dm-0 is because it is LVM on a RAID1 partition where initial
> login access is denied. Could it be metadata files for RAID or LVM are checked
> at login and enforced for LVM, yet not checked or enforced after login? It
> seems like a bug if SElinux enforces at login, then stops enforcing.
>  
> In the old days when there was no SElinux (or it was not enforcing) it would
> be enough to have a separate home partition and mount it on the new system
> with users/groups matching. Does a home partition now also need SElinux labels
> matched when transferring a home partition to a new Fedora install? If so, how
> would I make the partition interchangeable among the Fedora 23 and 26 installs
> (I assume I'd adjust the label rules and not the home partition labels)?
>  
> Thanks!

You're SELinux labels are probably incorrect.  Try:

restorecon -r /home

to fix.


-- 
Orion Poplawski
Technical Manager                          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                   http://www.nwra.com


More information about the LUG mailing list