Hi,

I'm curious if anyone on the list is intimate enough with selinux to have experience with migrating users from an unconfined_u context to a staff_u context?  The use case here is on Scientific Linux 7.4 Gnome Desktop systems.

I have done the following, which seems mostly successful:

# semanage -a -s staff_u userx
# cd /home/userx
# chcon -u staff_u -R -v .

This has taken care of just about everything related to userx.  Logging, using the desktop, etc. all work.  What is a sticky issue is the users have large USB hard drives that store their data on, and often connect those drives to other systems.  So, a typical user has a 4TB Seagate BackupPlus drive, formatted with EXT4 and data populated prior to becoming a confined user, so all files are unconfined_u:unconfined_r,unlabeled_t.  The user can plug the drive in, the drive mounts, but the user can not access any files on the drive.  Running restorecon does not change anything on the drive.

I am unsure what the proper selinux contexts should be.  I would like to try to ensure the drive is portable to other systems, where the user might not be confined to staff_u.  Gnome does not seem to automount the drive with a workable '-o context' argument for the user.  I am hopeful that I can set the context properly with out having to add a custom policy.

Would anyone have some advice?

Thank you kindly!