The 'genhomedircon' command produces error message on conflicts with a defined context in /etc/selinux/targeted/contexts/files/file_contexts

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6

Issue

  • When the genhomedircon command is executed, errors messages are produced, similar to those given below.

    [root@xxxxxx]# /usr/sbin/genhomedircon  
     dawc homedir /opt/dawc or its parent directory conflicts with a  
     defined context in /etc/selinux/targeted/contexts/files/file_contexts,  
     /usr/sbin/genhomedircon will not create a new context. This usually indicates an incorrectly defined system account.  If it is a system account please make sure its login shell is /sbin/nologin.  
     awws homedir /opt/awws or its parent directory conflicts with a  
     defined context in /etc/selinux/targeted/contexts/files/file_contexts,  
     /usr/sbin/genhomedircon will not create a new context. This usually indicates an incorrectly defined system account.  If it is a system account please make sure its login shell is /sbin/nologin.  
     cfps homedir /opt/cfps or its parent directory conflicts with a  
     defined context in /etc/selinux/targeted/contexts/files/file_contexts,  
     /usr/sbin/genhomedircon will not create a new context. This usually indicates an incorrectly defined system account.  If it is a system account please make sure its login shell is /sbin/nologin.
  • When running the command given below, to enable sending mail from within httpd, it returns the following error message.

        [root@xxxx ~]# setsebool -P httpd_can_sendmail=1
    
        libsemanage.get_home_dirs: matias.poisson homedir /var/www/campus
        or its parent directory conflicts with a file context already specified
        in the policy. This usually indicates an incorrectly defined system
        account. If it is a system account please make sure its uid is less
        than 500 or its login shell is /sbin/nologin.
    
  • The genhomedircon command seems to be executed each time a SELinux module is loaded/removed, and the same kind of messages are seen repeatedly

Resolution

Options to resolve are:

  • Change the home directories to at least one level lower than the directory already having the defined security context. (e.g. /opt/home/dawc)
  • Edit the entry of the system user in '/etc/passwd', and change the shell to '/sbin/nologin' or '/bin/false'.
  • Comment out the entry of the system user in '/etc/passwd' temporarily, while 'genhomedircon' is run manually.
  • Edit the 'UID_MIN' value in '/etc/login.defs' to a value one higher than the uid of the system user, to have it excluded by 'genhomedircon'. However, if there are real users having uid below this value, they will also get excluded. But this should not matter if these users have their home directory under the same parent directory, as the other real users who have higher uid values, since 'genhomedircon' is used only to generate home directory templates.
  • Ignore the error message produced while running 'genhomedircon', related to the system user, since the command will still produce the security context templates for the other valid real users.

Root Cause

When 'genhomedircon' is run, it needs a sane method to distinguish between real users, and system users, so as to generate the security context templates only for the real users. It considers accounts which have the shell as '/sbin/nologin' or '/bin/false' in '/etc/passwd' to be good to be excluded, and it also refers to the '/etc/login.defs' file to find the minimum uid for normal users, and excludes all user accounts having uid less than this value, from the security context template generation. The security context templates so created are stored in the '/etc/selinux/targeted/contexts/files/file_contexts.homedirs' file.

The error messages are produced, when it is noticed that a 'real' user has a home directory in a location, that already has got security contexts defined in the '/etc/selinux/targeted/contexts/files/file_contexts' file, and so it is not desirable to create conflicting entries.

Diagnostic Steps

  • There are system user account entries with UID greater than 500, and home directories in non-default locations like under '/opt' or '/usr', which already have their own special security contexts defined.
[root@xxxxxx]# cat /etc/passwd /etc/group | egrep '(cluster|dawc|cfps|awws)'
cluster:x:600:600::/home/cluster:/bin/bash
dawc:x:703:703::/opt/dawc:/bin/bash
awws:x:710:710::/opt/awws:/bin/bash
cfps:x:713:713::/opt/cfps:/bin/bash
cluster:x:600:
dawc:x:703:cluster
awws:x:710:cluster
cfps:x:713:cluste
  • If the shell for these user entries are changed from /bin/bash to /sbin/nologin or /bin/false, the errors can be avoided.  But this will disable the login for these accounts.

  • This is easily reproducible. Just create a user with their home directory in non-default locations like under '/opt' or '/usr', which already have their own special security contexts defined, and with a UID greater than 500. Then run the genhomedircon command.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.