SELinux Non-Default Home Directory Location

On most my systems I created a user called devops with its home directory created at /srv/devops. And on Fedora or CentOS systems, those home directories have their SELinux context set correctly when created. Recently, I found out that on all 3 machines so far, the SELinux context has been reverted.

~# ls -lZ /srv
total 0
drwx------. 5 devops devops system_u:object_r:var_t:s0    127 Oct 30  2019 devops

It should have had the same context as the normal user kenno in /home directory:

# ls -lZ /home
total 9
drwx------. 32 kenno kenno unconfined_u:object_r:user_home_dir_t:s0 47 Jun 15 13:55 kenno

When the home directory has incorrect SELinux label, it creates lots of troubles, and one of them is prohibitting this devops usr to ssh into the machine using private/public key pair.

# ls -laZ /srv/devops/
total 16
drwx------. 5 devops devops system_u:object_r:var_t:s0     127 Oct 30  2019 .
drwxr-xr-x. 4 root     root     system_u:object_r:var_t:s0      32 Apr 12 10:22 ..
-rw-------. 1 devops devops unconfined_u:object_r:var_t:s0  13 Oct 29  2019 .bash_history
-rw-r--r--. 1 devops devops system_u:object_r:var_t:s0      18 Aug  5  2019 .bash_logout
-rw-r--r--. 1 devops devops system_u:object_r:var_t:s0     141 Aug  5  2019 .bash_profile
-rw-r--r--. 1 devops devops system_u:object_r:var_t:s0     376 Aug  5  2019 .bashrc
drwxr-xr-x. 4 devops devops system_u:object_r:var_t:s0      39 Sep 12  2019 .mozilla
drwx------. 2 devops devops system_u:object_r:var_t:s0      29 Mar 15 12:30 .ssh

To fix this, the /srv/devop directory needs to be relabelled. But how? Right, I already forgot how to do this, and this is the 3rd time I need to fix this directory on a Fedora machine. So here’re some tips I can help my future-self.

Run man semanage-fcontext, and scroll down to the bottom page. There are a few ways that I can use to fix it.

One of the easiest methods, however, is to copy the SELinux label from an existing user directory /home/kenno to /srv/devops.

# semanage fcontext -a -e /home/kenno /srv/devops
# restorecon -R -v /srv/devops

-a : Add a record of the specified object type.
-e : Substitude target path with source path. This is used with fcontext.

Option for restorecon:

-R, -r : change files and directories file labels recursively.
-v : show changes in file labels.

After running the commands above, ls should produce the following output:

~# ls -laZ /srv/devops/
total 16
drwx------. 5 devops devops system_u:object_r:user_home_dir_t:s0 127 Oct 30  2019 .
drwxr-xr-x. 4 root     root     system_u:object_r:var_t:s0            32 Apr 12 10:22 ..
-rw-------. 1 devops devops unconfined_u:object_r:user_home_t:s0  13 Oct 29  2019 .bash_history
-rw-r--r--. 1 devops devops system_u:object_r:user_home_t:s0      18 Aug  5  2019 .bash_logout
-rw-r--r--. 1 devops devops system_u:object_r:user_home_t:s0     141 Aug  5  2019 .bash_profile
-rw-r--r--. 1 devops devops system_u:object_r:user_home_t:s0     376 Aug  5  2019 .bashrc
drwxr-xr-x. 4 devops devops system_u:object_r:mozilla_home_t:s0   39 Sep 12  2019 .mozilla
drwx------. 2 devops devops system_u:object_r:ssh_home_t:s0       29 Mar 15 12:30 .ssh

Learn more about SELinux from: