Eric Smith wrote:
>> I agree. I've put the home directory under /home/.nx because otherwise SELinux
>> was not creating the proper context for it and the files under it. I didn't find
>> a way how to fix it. If you do please send a patch.
>
> I have had so many problems with SELinux that I ended up disabling
> it. I guess an SELinux expert will have to help with this.
>
> Was it putting it under /home, or naming it with a leading dot, that
> made SELinux do the right thing? Or were both required?
>
Putting it under /home made it use the proper SELinux context automatically. The
dot was not required. It's mainly to avoid visual clutter.
>>> There should also be a postun script to delete the user and group, and
>>> possibly the home directory.
>> Nope, that's wrong. You can't be certain if there are other files or programs
>> that use the same user/group or home directory. There could be some files in the
>> home directory (probably written there by mistake) which should not be deleted
>> before examined. There's no perfect solution to this but leaving a dangling user
>> account (a system account) is better than deleting it without making sure it's
>> not in use.
>
> I disagree. If you're dynamically creating the user and group for the
> neatx server in the postinstall script, nothing else should be dumping
> files in there. If you look at other Fedora and RHEL packages that
> create a package-specific user and group, they delete them on
> uninstall.
I don't think so. See httpd and openssh-server for example.
> I think this may even be part of the Fedora packaging
> guidelines, but I haven't checked.
>
From [1]
<quote>
We never remove users or groups created by packages. There's no sane way to
check if files owned by those users/groups are left behind (and even if there
would, what would we do to them?), and leaving those behind with ownerships
pointing to now nonexistent users/groups may result in security issues when a
semantically unrelated user/group is created later and reuses the UID/GID. Also,
in some setups deleting the user/group might not be possible or/nor desirable
(eg. when using a shared remote user/group database). Cleanup of unused
users/groups is left to the system administrators to take care of if they so
desire.
</quote>
[1]
https://fedoraproject.org/wiki/Packaging:UsersAndGroups
--
Alexander.