An IPA user reported this on our mailing list. He's getting SELinux
permission failures from pam_mkhomedirs when he's trying to log into a
machine for the first time as a user.
Is there an existing way to configure a system to handle this?
thanks
rob
--- Begin Message ---
On Thu, Feb 26, 2009 at 4:20 AM, Rob Crittenden <rcritten@xxxxxxxxxx> wrote:
> Natxo Asenjo wrote:
>> I have so far only run into a problem and that is the auto creation of
>> home dirs on the firs login. I used the authenthication configuration
>> gui from fedora10 on the ipaclient and checked the option to
>> auto-create homedirs but that doesn't work. There is a selinux error:
>>
>> Feb 25 23:28:47 ipaclient01 setroubleshoot: SELinux is preventing sshd
>> (sshd_t) "write" to ./home (home_root_t). For complete SELinux
>> messages. run sealert -l 2f194ec1-0764-48b0-b66c-d84734105283
>> apparently the pam_mkhomedir.so is not allowed to work with selinux.
>> Any workarounds?
>
> It would be helpful to see the sealert output for this error. We may be able
> to include a generic fix in IPA, or pass this by the SELinux guys to see
> what they think.
ok, the output of sealert -l 2f194ec1-0764-48b0-b66c-d84734105283
Summary:
SELinux is preventing sshd (sshd_t) "write" to ./home (home_root_t).
Detailed Description:
SELinux denied access requested by sshd. The current boolean settings do not
allow this access. If you have not setup sshd to require this access this may
signal an intrusion attempt. If you do intend this access you need to change the
booleans on this system to allow the access.
Allowing Access:
Confined processes can be configured to to run requiring different access,
SELinux provides booleans to allow you to turn on/off access as needed. The
boolean allow_polyinstantiation is set incorrectly.
Boolean Description:
Allow login programs to use polyinstantiated directories.
Fix Command:
# setsebool -P allow_polyinstantiation 1
Additional Information:
Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context system_u:object_r:home_root_t:s0
Target Objects ./home [ dir ]
Source sshd
Source Path /usr/sbin/sshd
Port <Unknown>
Host ipaclient01.virtual.local
Source RPM Packages openssh-server-5.1p1-3.fc10
Target RPM Packages filesystem-2.4.19-1.fc10
Policy RPM selinux-policy-3.5.13-45.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_boolean
Host Name ipaclient01.virtual.local
Platform Linux ipaclient01.virtual.local
2.6.27.15-170.2.24.fc10.x86_64 #1 SMP Wed Feb 11
23:14:31 EST 2009 x86_64 x86_64
Alert Count 1
First Seen Wed Feb 25 23:28:47 2009
Last Seen Wed Feb 25 23:28:47 2009
Local ID 2f194ec1-0764-48b0-b66c-d84734105283
Line Numbers
Raw Audit Messages
node=ipaclient01.virtual.local type=AVC msg=audit(1235600927.386:53): avc: deni
ed { write } for pid=3055 comm="sshd" name="home" dev=dm-0 ino=211745 scontext
=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:
s0 tclass=dir
node=ipaclient01.virtual.local type=SYSCALL msg=audit(1235600927.386:53): arch=c
000003e syscall=83 success=no exit=-13 a0=173bd66 a1=1ed a2=21 a3=6a6e657361632f
65 items=0 ppid=1870 pid=3055 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd"
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
so I run:
# setsebool -P allow_polyinstantiation 1
And next time I tried login on the console through gdm:
Feb 26 15:41:53 ipaclient01 setroubleshoot: SELinux is preventing gdm-session-wo
r (xdm_t) "write" to ./home (home_root_t). For complete SELinux messages. run se
alert -l cf03e02d-4bdd-484d-bf6f-d70c553bdab8
running sealert -l cf03e02d-4bdd-484d-bf6f-d70c553bdab8 provides a
similar output but one substitutes sshd for gdm als source, obviously.
There is another SElinux error in the log:
Feb 26 15:46:34 ipaclient01 setroubleshoot: SELinux is preventing gdm-session-wo
r (xdm_t) "create" to ./casenjo (home_root_t). For complete SELinux messages. ru
n sealert -l a104e0b3-0dc4-4dc7-ba6a-494b7ca070de
Summary:
SELinux is preventing gdm-session-wor (xdm_t) "create" to ./casenjo
(home_root_t).
Detailed Description:
SELinux denied access requested by gdm-session-wor. It is not expected that this
access is required by gdm-session-wor and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./casenjo,
restorecon -v './casenjo'
If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:home_root_t:s0
Target Objects ./casenjo [ dir ]
Source gdm-session-wor
Source Path /usr/libexec/gdm-session-worker
Port <Unknown>
Host ipaclient01.virtual.local
Source RPM Packages gdm-2.24.0-12.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-45.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name ipaclient01.virtual.local
Platform Linux ipaclient01.virtual.local
2.6.27.15-170.2.24.fc10.x86_64 #1 SMP Wed Feb 11
23:14:31 EST 2009 x86_64 x86_64
Alert Count 1
First Seen Thu Feb 26 15:46:32 2009
Last Seen Thu Feb 26 15:46:32 2009
Local ID a104e0b3-0dc4-4dc7-ba6a-494b7ca070de
Line Numbers
Raw Audit Messages
node=ipaclient01.virtual.local type=AVC msg=audit(1235659592.554:36): avc: deni
ed { create } for pid=4301 comm="gdm-session-wor" name="casenjo" scontext=syst
em_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tcl
ass=dir
node=ipaclient01.virtual.local type=SYSCALL msg=audit(1235659592.554:36): arch=c
000003e syscall=83 success=no exit=-13 a0=7f577ce13bb6 a1=1ed a2=21 a3=810101010
1010100 items=0 ppid=4174 pid=4301 auid=1100 uid=0 gid=1002 euid=0 suid=0 fsuid=
0 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4 comm="gdm-session-wor" exe="/u
sr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(
null)
This time I cannot run restorecon -v './casenjo' because the folder
./casenjo simply does not exist., neither gdm nor sshd could
autocreate them.
I'd very much rather that selinux stayed enabled, obviously.
Hope the output of sealert is helpful to you guys.
--
Natxo Asenjo
_______________________________________________
Freeipa-users mailing list
Freeipa-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/freeipa-users
--- End Message ---
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
