An IPA user reported this on our mailing list. He's getting SELinux permission failures from pam_mkhomedirs when he's trying to log into a machine for the first time as a user.
Is there an existing way to configure a system to handle this?
thanks
rob
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Rob Crittenden wrote:
An IPA user reported this on our mailing list. He's getting SELinux permission failures from pam_mkhomedirs when he's trying to log into a machine for the first time as a user.
Is there an existing way to configure a system to handle this?
thanks
rob
Subject: Re: [Freeipa-users] new freeipa user From: Natxo Asenjo natxo.asenjo@gmail.com Date: Thu, 26 Feb 2009 16:09:01 +0100 To: freeipa-users@redhat.com
To: freeipa-users@redhat.com
On Thu, Feb 26, 2009 at 4:20 AM, Rob Crittenden rcritten@redhat.com wrote:
Natxo Asenjo wrote:
I have so far only run into a problem and that is the auto creation of home dirs on the firs login. I used the authenthication configuration gui from fedora10 on the ipaclient and checked the option to auto-create homedirs but that doesn't work. There is a selinux error:
Feb 25 23:28:47 ipaclient01 setroubleshoot: SELinux is preventing sshd (sshd_t) "write" to ./home (home_root_t). For complete SELinux messages. run sealert -l 2f194ec1-0764-48b0-b66c-d84734105283 apparently the pam_mkhomedir.so is not allowed to work with selinux. Any workarounds?
It would be helpful to see the sealert output for this error. We may be able to include a generic fix in IPA, or pass this by the SELinux guys to see what they think.
ok, the output of sealert -l 2f194ec1-0764-48b0-b66c-d84734105283
Summary:
SELinux is preventing sshd (sshd_t) "write" to ./home (home_root_t).
Detailed Description:
SELinux denied access requested by sshd. The current boolean settings do not allow this access. If you have not setup sshd to require this access this may signal an intrusion attempt. If you do intend this access you need to change the booleans on this system to allow the access.
Allowing Access:
Confined processes can be configured to to run requiring different access, SELinux provides booleans to allow you to turn on/off access as needed. The boolean allow_polyinstantiation is set incorrectly. Boolean Description: Allow login programs to use polyinstantiated directories.
Fix Command: # setsebool -P allow_polyinstantiation 1
Additional Information:
Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 Target Context system_u:object_r:home_root_t:s0 Target Objects ./home [ dir ] Source sshd Source Path /usr/sbin/sshd Port <Unknown> Host ipaclient01.virtual.local Source RPM Packages openssh-server-5.1p1-3.fc10 Target RPM Packages filesystem-2.4.19-1.fc10 Policy RPM selinux-policy-3.5.13-45.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_boolean Host Name ipaclient01.virtual.local Platform Linux ipaclient01.virtual.local 2.6.27.15-170.2.24.fc10.x86_64 #1 SMP Wed Feb 11 23:14:31 EST 2009 x86_64 x86_64 Alert Count 1 First Seen Wed Feb 25 23:28:47 2009 Last Seen Wed Feb 25 23:28:47 2009 Local ID 2f194ec1-0764-48b0-b66c-d84734105283 Line Numbers
Raw Audit Messages
node=ipaclient01.virtual.local type=AVC msg=audit(1235600927.386:53): avc: deni ed { write } for pid=3055 comm="sshd" name="home" dev=dm-0 ino=211745 scontext =system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t: s0 tclass=dir
node=ipaclient01.virtual.local type=SYSCALL msg=audit(1235600927.386:53): arch=c 000003e syscall=83 success=no exit=-13 a0=173bd66 a1=1ed a2=21 a3=6a6e657361632f 65 items=0 ppid=1870 pid=3055 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
so I run: # setsebool -P allow_polyinstantiation 1
And next time I tried login on the console through gdm:
Feb 26 15:41:53 ipaclient01 setroubleshoot: SELinux is preventing gdm-session-wo r (xdm_t) "write" to ./home (home_root_t). For complete SELinux messages. run se alert -l cf03e02d-4bdd-484d-bf6f-d70c553bdab8
running sealert -l cf03e02d-4bdd-484d-bf6f-d70c553bdab8 provides a similar output but one substitutes sshd for gdm als source, obviously.
There is another SElinux error in the log:
Feb 26 15:46:34 ipaclient01 setroubleshoot: SELinux is preventing gdm-session-wo r (xdm_t) "create" to ./casenjo (home_root_t). For complete SELinux messages. ru n sealert -l a104e0b3-0dc4-4dc7-ba6a-494b7ca070de
Summary:
SELinux is preventing gdm-session-wor (xdm_t) "create" to ./casenjo (home_root_t).
Detailed Description:
SELinux denied access requested by gdm-session-wor. It is not expected that this access is required by gdm-session-wor and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./casenjo,
restorecon -v './casenjo'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:home_root_t:s0 Target Objects ./casenjo [ dir ] Source gdm-session-wor Source Path /usr/libexec/gdm-session-worker Port <Unknown> Host ipaclient01.virtual.local Source RPM Packages gdm-2.24.0-12.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-45.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name ipaclient01.virtual.local Platform Linux ipaclient01.virtual.local 2.6.27.15-170.2.24.fc10.x86_64 #1 SMP Wed Feb 11 23:14:31 EST 2009 x86_64 x86_64 Alert Count 1 First Seen Thu Feb 26 15:46:32 2009 Last Seen Thu Feb 26 15:46:32 2009 Local ID a104e0b3-0dc4-4dc7-ba6a-494b7ca070de Line Numbers
Raw Audit Messages
node=ipaclient01.virtual.local type=AVC msg=audit(1235659592.554:36): avc: deni ed { create } for pid=4301 comm="gdm-session-wor" name="casenjo" scontext=syst em_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tcl ass=dir
node=ipaclient01.virtual.local type=SYSCALL msg=audit(1235659592.554:36): arch=c 000003e syscall=83 success=no exit=-13 a0=7f577ce13bb6 a1=1ed a2=21 a3=810101010 1010100 items=0 ppid=4174 pid=4301 auid=1100 uid=0 gid=1002 euid=0 suid=0 fsuid= 0 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4 comm="gdm-session-wor" exe="/u sr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=( null)
This time I cannot run restorecon -v './casenjo' because the folder ./casenjo simply does not exist., neither gdm nor sshd could autocreate them.
I'd very much rather that selinux stayed enabled, obviously.
Hope the output of sealert is helpful to you guys.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Yes tell him don't use it? :^)
A better option is oddjob-mkhomedir
selinux@lists.fedoraproject.org