Building a new home with systemd-homed on fedora

Introduction

Secure Home Project:

  • systemd-homed - Home Area/User Account Manager

The concept of systemd-homed was implemented in 2019. It was merged into systemd v245, and is still in active developement today.

It aims to fix the following inconveniences with home directories:

  • a secure encapsulation of all your data, including:

    • user’s documents, media and games
    • user’s settings and configurations
    • user’s libraries and scripts
    • user’s themes, icons and fonts
    • user’s encryption keys - ssh etc.
    • user’s podman and flatpak containers
    • systemd user services
  • a full portable home directory available to all systemd-homed enabled systems.

Building on a solid foundation

Town: fedora-linux
Project organizer: system administrator

  • Project Zone manager: semodule
  • Project Permit manager: authselect
  • Project manager: systemctl
  • Project contractor: homectl

Zone manager’s ordinance

1. Clone, review and contribute:

2. Install selinux build packages:

sudo dnf install          \
    policycoreutils-devel \
    selinux-policy-devel  \
    setools-console  

3. Build SELinux custom policy

cd homed-selinux
make -f /usr/share/selinux/devel/Makefile homed.pp

4. Install SELinux custom policy

sudo semodule --install=homed.pp

5. Set file context

sudo restorecon -rv \
    /usr/lib/systemd/systemd-homed \
    /usr/lib/systemd/systemd-homework \
    /usr/lib/systemd/system/systemd-homed.service \
    /usr/lib/systemd/system/systemd-homed-activate.service \
    /var/lib/systemd/home

Permit manager’s ordinance

6. Enable the authselect profile feature: ( v1.4.1+ only )

sudo authselect enable-feature \
    with-systemd-homed

Project manager’s ordinance

7. Enable and start service:

sudo systemctl enable --now \
    systemd-homed

Project contractor’s ordinance

8. Building your new secure home

sudo homectl create secure_home \
    --password-change-now=true \
    --storage=luks --fs-type=btrfs \
    --luks-extra-mount-options=defcontext=system_u:object_r:user_home_dir_t:s0

Note:
secure_home is the name of the new home directory you want to create.

11 Likes

This is a guide to using systemd-homed on your fedora OS. All feed back welcomed.

5 Likes

Would you mind elaborating how the encapsulation is done? What is different from a LUKS encrypted /home?

You are saying that you can carry that homed container/volume/dataset on an external drive and plug it in to any systemd-powered machine? What about all the configuration (additional packages, Selinux, …) that requires root permission?

I’m asking those questions because I see no use case for systemd-homed.

Yeah, there is that portability feature.

However for me, the compelling thing is per user encryption — if you’re not logged in, your files are locked, and not even the admin can see them. (Of course the admin could configure the system to steal your login credentials, but probably won’t.)

This also means you can have encrypted personal files without needing to enter a volume-decrypt password at boot, which is our current approach — particularly annoying when rebooting for offline updates.

3 Likes

In the case of encapsulation, the home directory is built on a encrypted block device that can only be opened with a password or recovery key. Only on a successful decryption can the home directory be accessed.

The difference is that with a normal home directory, anyone with administrative privileges can still access the data on the home directory, opposed to encrypted home directory which would require the home owners password or recovery key to access it’s data.

Simply put, an administrator now needs permission from the home owner to access or modify it’s data.

The future of linux moves towards compartmentalization.

  • ostree - isolation of OS

  • homed - isolation of Home directory from OS

    • toolbox/distrobox - Isolation of build tools from OS
    • flatpak - Isolation of runtimes from OS
    • podman - Isolation of containers from OS

So in theory, the OS would manage itself and management of the home directory left to you.

Root permissions would still be required for OS modifications. A portable secure home directory can still have OS modification permissions if set by the OS administrator.

3 Likes

Isn’t this also true of an autofs /home mount?

It could be, but I’ve not seen it done (I mean, on a single system). I’d love to see a guide for that approach.

1 Like

Thank you very much for sharing.

From where I can read more about the basics?

What will happen at step 8?

  • Is that the existing home of the current logged in user will got converted to use systemd-homed ?
  • When I create a new user in the system, how can I switch that user to systemd-homed from the beginning?
2 Likes

Once again, thank you very much!

I followed your guide in a new F37 VM.
This is the result after step 8:

$ ls -ls /home
total 544048
     0 drwx------. 1 xxx  xxx          262 Jan 14 10:42 xxx
544048 -rw-------. 1 root root 12779634688 Jan 14 10:48 secure_hopme.home
Step 1 - outputs

$git clone GitHub - richiedaze/homed-selinux: systemd-homed SELinux Policy
Cloning into ‘homed-selinux’…
remote: Enumerating objects: 22, done.
remote: Counting objects: 100% (22/22), done.
remote: Compressing objects: 100% (15/15), done.
remote: Total 22 (delta 10), reused 18 (delta 6), pack-reused 0
Receiving objects: 100% (22/22), 11.63 KiB | 372.00 KiB/s, done.
Resolving deltas: 100% (10/10), done.

Step2 - outputs

$ sudo dnf install policycoreutils-devel selinux-policy-devel setools-console

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

[sudo] password for xxx:
Fedora 37 - x86_64 8.5 MB/s | 64 MB 00:07
Fedora 37 openh264 (From Cisco) - x86_64 979 B/s | 2.5 kB 00:02
Fedora Modular 37 - x86_64 96 kB/s | 3.0 MB 00:32
Fedora 37 - x86_64 - Updates 5.7 MB/s | 20 MB 00:03
Fedora Modular 37 - x86_64 - Updates 957 kB/s | 1.1 MB 00:01
Dependencies resolved.

Package Architecture Version Repository Size

Installing:
policycoreutils-devel x86_64 3.4-6.fc37 fedora 150 k
selinux-policy-devel noarch 37.17-1.fc37 updates 887 k
setools-console x86_64 4.4.0-9.fc37 fedora 39 k
Upgrading:
selinux-policy noarch 37.17-1.fc37 updates 50 k
selinux-policy-targeted noarch 37.17-1.fc37 updates 6.6 M
Installing dependencies:
m4 x86_64 1.4.19-4.fc37 fedora 303 k

Transaction Summary

Install 4 Packages
Upgrade 2 Packages

Total download size: 8.0 M
Is this ok [y/N]: y
Downloading Packages:
(1/6): setools-console-4.4.0-9.fc37.x86_64.rpm 124 kB/s | 39 kB 00:00
(2/6): policycoreutils-devel-3.4-6.fc37.x86_64.rpm 356 kB/s | 150 kB 00:00
(3/6): m4-1.4.19-4.fc37.x86_64.rpm 549 kB/s | 303 kB 00:00
(4/6): selinux-policy-37.17-1.fc37.noarch.rpm 188 kB/s | 50 kB 00:00
(5/6): selinux-policy-devel-37.17-1.fc37.noarch.rpm 1.5 MB/s | 887 kB 00:00
(6/6): selinux-policy-targeted-37.17-1.fc37.noarch.rpm 768 kB/s | 6.6 MB 00:08

Total 798 kB/s | 8.0 MB 00:10
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Running scriptlet: selinux-policy-targeted-37.17-1.fc37.noarch 1/1
Preparing : 1/1
Upgrading : selinux-policy-37.17-1.fc37.noarch 1/8
Running scriptlet: selinux-policy-37.17-1.fc37.noarch 1/8
Running scriptlet: selinux-policy-targeted-37.17-1.fc37.noarch 2/8
Upgrading : selinux-policy-targeted-37.17-1.fc37.noarch 2/8
Running scriptlet: selinux-policy-targeted-37.17-1.fc37.noarch 2/8
Installing : m4-1.4.19-4.fc37.x86_64 3/8
Installing : policycoreutils-devel-3.4-6.fc37.x86_64 4/8
Installing : selinux-policy-devel-37.17-1.fc37.noarch 5/8
Running scriptlet: selinux-policy-devel-37.17-1.fc37.noarch 5/8
Installing : setools-console-4.4.0-9.fc37.x86_64 6/8
Running scriptlet: selinux-policy-37.16-1.fc37.noarch 7/8
Cleanup : selinux-policy-37.16-1.fc37.noarch 7/8
Running scriptlet: selinux-policy-37.16-1.fc37.noarch 7/8
Cleanup : selinux-policy-targeted-37.16-1.fc37.noarch 8/8
Running scriptlet: selinux-policy-targeted-37.16-1.fc37.noarch 8/8
Running scriptlet: selinux-policy-targeted-37.17-1.fc37.noarch 8/8
Running scriptlet: selinux-policy-targeted-37.16-1.fc37.noarch 8/8
Verifying : m4-1.4.19-4.fc37.x86_64 1/8
Verifying : policycoreutils-devel-3.4-6.fc37.x86_64 2/8
Verifying : setools-console-4.4.0-9.fc37.x86_64 3/8
Verifying : selinux-policy-devel-37.17-1.fc37.noarch 4/8
Verifying : selinux-policy-37.17-1.fc37.noarch 5/8
Verifying : selinux-policy-37.16-1.fc37.noarch 6/8
Verifying : selinux-policy-targeted-37.17-1.fc37.noarch 7/8
Verifying : selinux-policy-targeted-37.16-1.fc37.noarch 8/8

Upgraded:
selinux-policy-37.17-1.fc37.noarch selinux-policy-targeted-37.17-1.fc37.noarch
Installed:
m4-1.4.19-4.fc37.x86_64 policycoreutils-devel-3.4-6.fc37.x86_64 selinux-policy-devel-37.17-1.fc37.noarch setools-console-4.4.0-9.fc37.x86_64

Complete!

Step3 - outputs (a lot of warnings)

$ cd homed-selinux/
[fcc@localhost-live homed-selinux]$ make -f /usr/share/selinux/devel/Makefile homed.pp
/usr/share/selinux/devel/include/services/container.if:13: Warning: duplicate definition of container_runtime_domtrans(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:13.
/usr/share/selinux/devel/include/services/container.if:40: Warning: duplicate definition of container_runtime_run(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:40.
/usr/share/selinux/devel/include/services/container.if:62: Warning: duplicate definition of container_runtime_exec(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:62.
/usr/share/selinux/devel/include/services/container.if:81: Warning: duplicate definition of container_read_state(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:81.
/usr/share/selinux/devel/include/services/container.if:99: Warning: duplicate definition of container_search_lib(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:99.
/usr/share/selinux/devel/include/services/container.if:118: Warning: duplicate definition of container_exec_lib(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:118.
/usr/share/selinux/devel/include/services/container.if:137: Warning: duplicate definition of container_read_lib_files(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:137.
/usr/share/selinux/devel/include/services/container.if:156: Warning: duplicate definition of container_read_share_files(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:156.
/usr/share/selinux/devel/include/services/container.if:177: Warning: duplicate definition of container_runtime_read_tmpfs_files(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:177.
/usr/share/selinux/devel/include/services/container.if:198: Warning: duplicate definition of container_manage_share_files(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:198.
/usr/share/selinux/devel/include/services/container.if:219: Warning: duplicate definition of container_manage_share_dirs(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:219.
/usr/share/selinux/devel/include/services/container.if:239: Warning: duplicate definition of container_exec_share_files(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:239.
/usr/share/selinux/devel/include/services/container.if:257: Warning: duplicate definition of container_manage_config_files(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:257.
/usr/share/selinux/devel/include/services/container.if:279: Warning: duplicate definition of container_manage_lib_files(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:279.
/usr/share/selinux/devel/include/services/container.if:299: Warning: duplicate definition of container_manage_files(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:299.
/usr/share/selinux/devel/include/services/container.if:318: Warning: duplicate definition of container_manage_dirs(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:318.
/usr/share/selinux/devel/include/services/container.if:336: Warning: duplicate definition of container_manage_lib_dirs(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:336.
/usr/share/selinux/devel/include/services/container.if:372: Warning: duplicate definition of container_lib_filetrans(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:372.
/usr/share/selinux/devel/include/services/container.if:390: Warning: duplicate definition of container_read_pid_files(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:390.
/usr/share/selinux/devel/include/services/container.if:409: Warning: duplicate definition of container_systemctl(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:409.
/usr/share/selinux/devel/include/services/container.if:434: Warning: duplicate definition of container_rw_sem(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:434.
/usr/share/selinux/devel/include/services/container.if:453: Warning: duplicate definition of container_append_file(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:453.
/usr/share/selinux/devel/include/services/container.if:471: Warning: duplicate definition of container_use_ptys(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:471.
/usr/share/selinux/devel/include/services/container.if:489: Warning: duplicate definition of container_filetrans_named_content(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:489.
/usr/share/selinux/devel/include/services/container.if:588: Warning: duplicate definition of container_stream_connect(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:588.
/usr/share/selinux/devel/include/services/container.if:609: Warning: duplicate definition of container_spc_stream_connect(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:609.
/usr/share/selinux/devel/include/services/container.if:629: Warning: duplicate definition of container_admin(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:629.
/usr/share/selinux/devel/include/services/container.if:679: Warning: duplicate definition of container_auth_domtrans(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:679.
/usr/share/selinux/devel/include/services/container.if:698: Warning: duplicate definition of container_auth_exec(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:698.
/usr/share/selinux/devel/include/services/container.if:717: Warning: duplicate definition of container_auth_stream_connect(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:717.
/usr/share/selinux/devel/include/services/container.if:736: Warning: duplicate definition of container_runtime_typebounds(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:736.
/usr/share/selinux/devel/include/services/container.if:755: Warning: duplicate definition of container_runtime_entrypoint(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:755.
/usr/share/selinux/devel/include/services/container.if:762: Warning: duplicate definition of docker_exec_lib(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:762.
/usr/share/selinux/devel/include/services/container.if:766: Warning: duplicate definition of docker_read_share_files(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:766.
/usr/share/selinux/devel/include/services/container.if:770: Warning: duplicate definition of docker_exec_share_files(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:770.
/usr/share/selinux/devel/include/services/container.if:774: Warning: duplicate definition of docker_manage_lib_files(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:774.
/usr/share/selinux/devel/include/services/container.if:779: Warning: duplicate definition of docker_manage_lib_dirs(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:779.
/usr/share/selinux/devel/include/services/container.if:783: Warning: duplicate definition of docker_lib_filetrans(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:783.
/usr/share/selinux/devel/include/services/container.if:787: Warning: duplicate definition of docker_read_pid_files(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:787.
/usr/share/selinux/devel/include/services/container.if:791: Warning: duplicate definition of docker_systemctl(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:791.
/usr/share/selinux/devel/include/services/container.if:795: Warning: duplicate definition of docker_use_ptys(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:795.
/usr/share/selinux/devel/include/services/container.if:799: Warning: duplicate definition of docker_stream_connect(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:799.
/usr/share/selinux/devel/include/services/container.if:803: Warning: duplicate definition of docker_spc_stream_connect(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:803.
/usr/share/selinux/devel/include/services/container.if:817: Warning: duplicate definition of container_spc_read_state(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:817.
/usr/share/selinux/devel/include/services/container.if:836: Warning: duplicate definition of container_runtime_domain_template(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:836.
/usr/share/selinux/devel/include/services/container.if:874: Warning: duplicate definition of container_domain_template(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:879.
/usr/share/selinux/devel/include/services/container.if:902: Warning: duplicate definition of container_spc_rw_pipes(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:924.
/usr/share/selinux/devel/include/services/container.if:920: Warning: duplicate definition of container_kubelet_domtrans(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:942.
/usr/share/selinux/devel/include/services/container.if:945: Warning: duplicate definition of container_kubelet_run(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:967.
/usr/share/selinux/devel/include/services/container.if:965: Warning: duplicate definition of container_kubelet_stream_connect(). Original definition on /usr/share/selinux/devel/include/contrib/container.if:987.
Compiling targeted homed module
Creating targeted homed.pp policy package
rm tmp/homed.mod tmp/homed.mod.fc

Step 4 - no output

Step 5 - outputs

$ sudo restorecon -rv /usr/lib/systemd/systemd-homed /usr/lib/systemd/systemd-homework /usr/lib/systemd/system/systemd-homed.service /usr/lib/systemd/system/systemd-homed-activate.service
Relabeled /usr/lib/systemd/systemd-homed from system_u:object_r:init_exec_t:s0 to system_u:object_r:systemd_homed_exec_t:s0
Relabeled /usr/lib/systemd/systemd-homework from system_u:object_r:init_exec_t:s0 to system_u:object_r:systemd_homework_exec_t:s0
Relabeled /usr/lib/systemd/system/systemd-homed.service from system_u:object_r:systemd_unit_file_t:s0 to system_u:object_r:systemd_homed_unit_file_t:s0
Relabeled /usr/lib/systemd/system/systemd-homed-activate.service from system_u:object_r:systemd_unit_file_t:s0 to system_u:object_r:systemd_homed_unit_file_t:s0

Step 6 - outputs

$ sudo authselect enable-feature with-systemd-homed
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

  • with-systemd-homed is selected, make sure that the system-homed service is enabled
    • systemctl enable --now systemd-homed.service
Step 7 - outputs

$sudo systemctl enable --now systemd-homed
Created symlink /etc/systemd/system/dbus-org.freedesktop.home1.service → /usr/lib/systemd/system/systemd-homed.service.
Created symlink /etc/systemd/system/multi-user.target.wants/systemd-homed.service → /usr/lib/systemd/system/systemd-homed.service.
Created symlink /etc/systemd/system/systemd-homed.service.wants/systemd-homed-activate.service → /usr/lib/systemd/system/systemd-homed-activate.service.

Step 8 - outputs

$ sudo homectl create secure_hopme --password-change-now=true --storage=luks --fs-type=btrfs --luks-extra-mount-options=defcontext=system_u:object_r:user_home_dir_t:s0
Password suggestions: *** masked ***
:closed_lock_with_key: Please enter new password for user secure_hopme: **********
:closed_lock_with_key: Please enter new password for user secure_hopme (repeat): **********

I made a typo in ‘secure_hopme’, it turns out to be the name of the created file

$ ls -ls /home
total 544048
     0 drwx------. 1 xxx  xxx          262 Jan 14 10:42 xxx
544048 -rw-------. 1 root root 12779634688 Jan 14 10:48 secure_hopme.home

Question: What next? What will happen if I reboot my F37 VM now? How to make use of the created ‘secure_hopme.home’ file?

=== Update 1 below ===

(I tried below after quickly looked at systemd-homed - ArchWiki )
After reboot, there is no new users listed in the GDM screen. So I choose “Not LIsted?”, enter “secure_hopme” and use the same password as in Step 8.

After logon, it force me to change password. After typing the new password twice, it goes back to the logon password prompt.

Here, the new password is not accepted. After using old password, I got the Desktop display for user secure_hopme .
(I immediately got a not sufficient disk space warning - it turns out the new user’s home is allocated 12GB - as default VM only has 20GB, less than 2.2GB free after that)

After I logout, then GDM has secure_hopme listed, and this time, old password not accepted while new password is needed to logon back.

ls -ls
total 12146252
       0 drwx------. 1 xxx  xxx          288 Jan 14 11:05 xxx
       0 drwx------. 1 root root           0 Jan 14 11:10 secure_hopme
12146252 -rw-------. 1 root root 12437762048 Jan 14 11:17 secure_hopme.home

On disk size of secure_hopme.home increased after initial logon.

That’s fair. AFAIK, autofs requires a networked CIFS or NFS share. Otherwise, I believe it basically has this feature as the files don’t exist until the user logs into their home, and in the case of CIFS, there’s an extra auth layer for that to happen. I’m curious if systemd-homed is co-compatible with autofs (when it was first announced, it wasn’t)?

systemd-home auto resizes your home directory on login or log out by default. Man homectl, to acquire the the knowledge to customize your home build with the proper flags.

Although, without something else at work on the server side, the files aren’t encrypted “at rest” on the network fileserver.

I don’t expect it would be made directly compatible with autofs, since they approach a similar goal from different directions. I believe systemd-homed can work with (and, therefore, automount) CIFS shares. (But with the same caveat as above about encryption.)

1 Like

Can the home directory be mounted on multiple hosts this way at the same time? To greatly oversimplify things, it seems that systemd-homed might make more sense for laptops and workstations where autofs seems to make more sense to sssd integrated multi-user systems? If so, that helps me with understanding the use case for this since it lowers the bar for non-enterprise/home-lab situations.

(As an aside, speaking of encrypting files, the Fedora Magazine article on backup restore via restic was very helpful for me today when I setup my Fedora server backups with a new S3 provider.)

1 Like

I assume so, when using CIFS. I don’t think any of the other mechanisms provide for it. It’d be interesting to see about doing LUKS over network block storage, though!

nfs can. At my last job, we setup DRBD to host all the server home directories over NFS with autos. Login happened via sssd and then their user specific home directory was mounted on login. The files didn’t exist on the server until the user logged in and could be mounted on multiple systems at once (NFS is also one of the few ways to do RWX volumes in Kubernetes).

With a regular nfs, if someone has access to the nfs server, they can access all the home directories, but doing it through DRBD adds another layer to that since DRBD is also managing the block devices underneath. (It appears Cisco has a doc on doing DRBD with LUKS in OpenStack.)

Oh, yes, definitely — I’ve worked in environments with large-scale centralized NFS home directories. I meant the other systemd-homed mechanics.

1 Like

Ah, yeah - I think my trouble with initially understanding the point of this is that I’m coming from that world for these concepts and was trying to see how systemd-homed fit into that world instead of starting from a place of a regular user wanting portability/privacy with their own data. I think the scope and practical use cases of it are starting to make more sense to me now. Many thanks!

1 Like

I think these warnings are due to current container-selinux and selinux-policy-devel packages being out of sync, and shouldn’t affect this. Possibly worth tracking down and filing a bug in one of those packages, though.

1 Like

@richiedaze Thanks for this very nice guide. I think it might be helpful to have a “what this step does” explanation for each step (maybe using the drop-down markup that Sampson uses in his message, so it doesn’t become too cluttered for people who just want the recipe).

And, in Step 8 — it isn’t obvious to me that secure_home is the username to be created. That probably should be spelled out.

1 Like

Assuming a predictable mount location for these home mounts, could this be handled with semanage fcontext -a -t user_home_dir_t /path/to/homed/mounts/[^/]+ ? If so, it would make step 8 cleaner.

Similarly, this could be defined in /etc/systemd/homed.conf so the individual mount command is cleaner. It looks like the default shipped in Fedora is already btrfs (commented out in the conf), so this arg might be redundant.

1 Like