Filipe Brandenburger
2008-Jun-06 00:30 UTC
[CentOS] SELinux error message on CentOS 5: "multiple same specifications"
Hi all, I just installed a CentOS 5 machine from Kickstart. I configure NSS and PAM to lookup and authenticate users from LDAP with authconfig. On my LDAP I also have some automount configuration, but I'm not running automount on this server. SELinux is installed and enforcing. Whenever I try to install an RPM (and in other occasions during boot) I see those messages: # rpm -Uvh ... .rpm /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/local/lost\+found/.*. /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/local/\.journal. /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/local/lost\+found. The RPM installs fine, I guess those are just warnings. (Actually, /usr/local is practically empty, and there are no lost+found or .journal there, so I guess those are really innocuous.) I dug in deeper and I found out that the source of the problem is most probably in this file: /etc/selinux/targeted/contexts/files/file_contexts.homedirs Among its contents are these lines: /usr/local/[^/]*/.+ user_u:object_r:user_home_t:s0 /usr/local/[^/]*/.*/plugins/nprhapengine\.so.* -- user_u:object_r:textrel_shlib_t:s0 /usr/local/[^/]*/.*/plugins/libflashplayer\.so.* -- user_u:object_r:textrel_shlib_t:s0 /usr/local/[^/]*/((www)|(web)|(public_html))(/.+)? user_u:object_r:httpd_user_content_t:s0 /usr/local/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- user_u:object_r:textrel_shlib_t:s0 /usr/local/[^/]* -d user_u:object_r:user_home_dir_t:s0 /usr/local/lost\+found/.* <<none>> /usr/local -d system_u:object_r:home_root_t:s0 /usr/local/\.journal <<none>> /usr/local/lost\+found -d system_u:object_r:lost_found_t:s0 I saw that /home and /root are there, since they are really home directories. But /usr/local shouldn't be there! And there's a fourth directory there, which is based on the name of our NFS fileserver: /colossus/users/[^/]*/.+ user_u:object_r:user_home_t:s0 /colossus/users/[^/]*/.*/plugins/nprhapengine\.so.* -- user_u:object_r:textrel_shlib_t:s0 /colossus/users/[^/]*/.*/plugins/libflashplayer\.so.* -- user_u:object_r:textrel_shlib_t:s0 /colossus/users/[^/]*/((www)|(web)|(public_html))(/.+)? user_u:object_r:httpd_user_content_t:s0 /colossus/users/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- user_u:object_r:textrel_shlib_t:s0 /colossus/users/[^/]* -d user_u:object_r:user_home_dir_t:s0 /colossus/users/lost\+found/.* <<none>> /colossus/users -d system_u:object_r:home_root_t:s0 /colossus/users/\.journal <<none>> /colossus/users/lost\+found -d system_u:object_r:lost_found_t:s0 I tried to edit the file to remove the offending entries, but after I installed another RPM I saw that the file was regenerated with the other entries. So, I would like to know: Where is this coming from? How is this file being generated? What's the command that generates it? Which command (semanage?) apart from rpm can I use to reproduce and test the problem? (In other words, another command that won't install or change anything on the system but check the integrity of this file.) How can I tweak or control the way this file is generated? Thanks a lot! Filipe
Filipe Brandenburger
2008-Jun-06 22:59 UTC
[CentOS] Re: SELinux error message on CentOS 5: "multiple same specifications"
Hi, For the record, I found and fixed the problem. I had some users with their home wrongly set on LDAP. One of them had the home set to /usr/local/whatever and a /bin/sh shell, and another had /colossus/users/herusername as home. The script "genhomedircon" (which apparently is run by RPM every time) was generating those bogus entries. After fixing the LDAP entries and running "genhomedircon" the problem got away. Thanks, Filipe