SELinux Home directory fine tuning –
In the Linux Foundation Referenced Specifications for the Filesystem Hierarchy Standard (FHS), there’s this entry for the (optional) User home directories – <3.8. /home : User home directories (optional)>
On smaller systems, each user’s home directory is typically implemented as a subdirectory directly under
/home, for example/home/smith,/home/torvalds,/home/operator, etc. On large systems (especially when the/homedirectories are shared amongst many hosts using NFS) it is useful to subdivide user home directories. Subdivision may be accomplished by using subdirectories such as/home/staff,/home/guests,/home/students, etc.
I admit to using the subdivision of user home directories for many years now without being aware of the Linux Standard detail …
SELinux Policy Management without requiring modification to or recompilation from policy sources:
The secret is located in the “semanage-fcontext” man (8) page:
Substitute /home1 with /home when setting file context
i.e. label everything under /home1 the same way /home is labeled
# semanage fcontext -a -e /home /home1
# restorecon -R -v /home1
For home directories under top level directory, for example /disk6/home,
execute the following commands.
# semanage fcontext -a -t home_root_t "/disk6"
# semanage fcontext -a -e /home /disk6/home
# restorecon -R -v /disk6
And, with Leap 16.0 the default file mode of the “/home” has changed:
> ls -ldZ /hom*
dr-xr-xr-x. 9 root root system_u:object_r:home_root_t:s0 112 3. Jan 18:22 /home
dr-xr-xr-x. 15 root root system_u:object_r:home_root_t:s0 4096 15. Apr 2024 /home01
>
> rpm --query --scripts filesystem
.
.
local ghosts = {
["/boot"] = 0555,
["/home"] = 0555,
["/mnt"] = 0555,
["/opt"] = 0555,
["/proc"] = 0555,
["/srv"] = 0555,
.
.
>