Hi, I'm curious if anyone on the list is intimate enough with selinux to have experience with migrating users from an unconfined_u context to a staff_u context? The use case here is on Scientific Linux 7.4 Gnome Desktop systems.
I have done the following, which seems mostly successful: # semanage -a -s staff_u userx # cd /home/userx # chcon -u staff_u -R -v . This has taken care of just about everything related to userx. Logging, using the desktop, etc. all work. What is a sticky issue is the users have large USB hard drives that store their data on, and often connect those drives to other systems. So, a typical user has a 4TB Seagate BackupPlus drive, formatted with EXT4 and data populated prior to becoming a confined user, so all files are unconfined_u:unconfined_r,unlabeled_t. The user can plug the drive in, the drive mounts, but the user can not access any files on the drive. Running restorecon does not change anything on the drive. I am unsure what the proper selinux contexts should be. I would like to try to ensure the drive is portable to other systems, where the user might not be confined to staff_u. Gnome does not seem to automount the drive with a workable '-o context' argument for the user. I am hopeful that I can set the context properly with out having to add a custom policy. Would anyone have some advice? Thank you kindly!
