Useradd --btrfs-subvolume-home selinux labeling

Ask Fedora
, ,
1

Not being one to memorize what I can easily lookup I was reading the help for the useradd command. The --btrfs-subvolume-home switch looked interesting.

useradd -m --btrfs-subvolume-home me2

btrfs subvolume list /
ID 256 gen 160 top level 5 path home
ID 257 gen 173 top level 5 path var
ID 258 gen 162 top level 5 path root
ID 259 gen 124 top level 257 path var/lib/portables
ID 260 gen 162 top level 256 path home/me2

ls -ldZ /home /home/me2
drwxr-xr-x. 1 root root system_u:object_r:home_root_t:s0 18 May 17 19:17 /home
drwx------. 1 me2  me2  system_u:object_r:unlabeled_t:s0 64 May 17 19:17 /home/me2

This results in a home directory for me2 being inaccessible by the user me2.

restorecon -R /home

ls -ldZ /home /home/ss
drwxr-xr-x. 1 root root system_u:object_r:home_root_t:s0     18 May 17 19:17 /home
drwx------. 1 me2  me2  system_u:object_r:user_home_dir_t:s0 64 May 17 19:17 /home/me2

With the labels restored access works.

Is this expected behavior?

4

That would be expected for that command since it creates an additional subvolume under /home for your users home directory.
Most users do not do that and only have the default /home subvolume with the users home directories there, as you did with ansible.

Permissions and context for that subvolume seem unusual in relation to that normally seen with a users home directory.

$ ls -lZd /home /home/*
drwxr-xr-x. 1 root root system_u:object_r:home_root_t:s0 10 Apr 25 10:52 /home
drwx------. 1 me me unconfined_u:object_r:user_home_dir_t:s0 300 Apr 25 11:52 /home/me

What happens with the content of /home/me2?
ls -lZda /home/me2/* /home/me2/.?*