Bug 5389 – home directory in /usr/local causes selinux warnings

Bug 5389 - home directory in /usr/local causes selinux warnings

Summary:

home directory in /usr/local causes selinux warnings

Status:	RESOLVED FIXED

Product:	Logitech Media Server
Classification:	Unclassified
Component:	RPM
Version:	6.5.4
Platform:	PC Other

Importance:	P2 minor (vote)
Target Milestone:	---
Assigned To:	Mark Miksis

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2007-09-05 07:58 UTC by Adam Spiers
Modified:	2009-09-08 09:17 UTC (History)
CC List:	2 users (show)

See Also:
Category:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Adam Spiers 2007-09-05 07:58:06 UTC

I'm running 6.5.4 on Fedora 7.  Every time I install any rpm, I get warnings like:

/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/local/lost\+found/.*.
/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/local/\.journal.
/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/local/lost\+found.

This bug (which was recently CLOSED NOTABUG) leads me to believe that it is due to having a user in /etc/passwd with a home directory under /usr/local/:

  https://bugzilla.redhat.com/show_bug.cgi?id=244815

However the only user matching this description is slimserver:

.-(/home/adam)--------------------------------------------------------------(root@atlantic)-
`--# grep /usr/local /etc/passwd
slimserver:x:503:503:SlimServer:/usr/local/slimserver:/bin/bash

If I comment slimserver out of /etc/passwd and shadow, run genhomedircon, then install a new rpm, I no longer get the warnings.  However I'm not an SELinux expert so I don't know what the "right" solution to this is.  Maybe /usr/local/ is a deprecated location for users?  Or maybe the slimserver install should manipulate the SELinux config in some way?  But I'm just guessing ...

Comment 1 Daniel Walsh 2007-09-11 12:40:55 UTC

If you create it with a shell account of /bin/nologin or /bin/false the problem will go away.

Comment 2 Adam Spiers 2007-09-27 15:46:57 UTC

Changing the shell to /sbin/nologin on this Fedora 7 box then running genhomedircon fixed it, thanks!

Can the rpm be tweaked accordingly?  (Maybe /bin/false is more distro-agnostic.)  Wouldn't it be a good idea security-wise to avoid having a usable shell anyway?

Comment 3 Ross Levine 2007-10-10 16:49:58 UTC

Dean do you want to consider this for 7.0?

Comment 4 Chris Owens 2007-10-11 10:53:58 UTC

If you're running selinux, I think you're used to a lot of warnings.  I'm leaving this open, but reducing the priority so that it doesn't block the 7.0 release.

Comment 5 Andy Grundman 2007-11-21 09:33:44 UTC

Fletch, can you comment on this?

Comment 6 Mark Miksis 2007-11-21 09:57:14 UTC

The SqueezeCenter RPM creates the squeezecenter user as a system account (which does not create the home dir) and a default shell of /sbin/nologin.  One (or both) of those fixes this.

Comment 7 Chris Owens 2007-12-10 18:30:36 UTC

Assigned to Fletch at his request per bug 5623

Comment 8 Mark Miksis 2007-12-26 10:56:42 UTC

This is fixed in the new SqueezeCenter RPM.  Please see http://forums.slimdevices.com/showthread.php?t=41217 and http://wiki.slimdevices.com/index.cgi?SqueezeCenterRPM for more information.  Marking as FIXED.