selinux question(s) (/home really = /n/home..)

Matt Nicholson sjoeboo at sjoeboo.com
Tue Nov 4 17:59:29 UTC 2008 

Right, that did it (after i started the oddjobd service, that is).

Now, the original reason i turned selinux back on was to use
xguest....saddly, this isn't working still...

On Tue, Nov 4, 2008 at 11:21 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Matt Nicholson wrote:
> > So, I have an environment, where we pull user data/auth from
> ldap/kerberos
> > for a bunch of fedora workstations. I would love to have selinux turned
> on
> > on these, but, right now it jsut doesn't work with our setup.
> >
> > See, your users home directories are in a few different places. for the
> most
> > part, LDAP think their home is at /n/home, or /n/data/home. So, i have
> /home
> > bind mounted to those locations, and, sith selinux off, its all nice and
> > happy. Another weird thing, is that /home is local on these workstations,
> so
> > when a user sits at a workstation for the first time, an empty homedir
> must
> > be created. We hope to move to nfs /home soon, but not yet.
> >
> Can you look at using pam_oddjob_mkhomedir rather then pam_mkhomedir
>
> yum install oddjob\*
>
> Should fix the problem.
>
> > once i turn it on, however, users cannot log in, and the home directoies
> > cannot be created. I get selinux messages like:
> >
> > Summary:
> >
> > SELinux is preventing sshd (sshd_t) "create" to ./nichols2 (home_root_t).
> >
> > Detailed Description:
> >
> > SELinux denied access requested by sshd. It is not expected that this
> access
> > is
> > required by sshd and this access may signal an intrusion attempt. It is
> also
> > possible that the specific version or configuration of the application is
> > causing it to require additional access.
> >
> > Allowing Access:
> >
> > Sometimes labeling problems can cause SELinux denials. You could try to
> > restore
> > the default system file context for ./nichols2,
> >
> > restorecon -v './nichols2'
> >
> > If this does not work, there is currently no automatic way to allow this
> > access.
> > Instead, you can generate a local policy module to allow this access -
> see
> > FAQ
> > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> > disable
> > SELinux protection altogether. Disabling SELinux protection is not
> > recommended.
> > Please file a bug report (
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> > against this package.
> >
> > Additional Information:
> >
> > Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
> > Target Context                system_u:object_r:home_root_t:s0
> > Target Objects                ./nichols2 [ dir ]
> > Source                        sshd
> > Source Path                   /usr/sbin/sshd
> > Port                          <Unknown>
> > Host                          dhcp-0016533596-c5-74
> > Source RPM Packages           openssh-server-5.1p1-2.fc9
> > Target RPM Packages
> > Policy RPM                    selinux-policy-3.3.1-103.fc9
> > Selinux Enabled               True
> > Policy Type                   targeted
> > MLS Enabled                   True
> > Enforcing Mode                Enforcing
> > Plugin Name                   catchall_file
> > Host Name                     dhcp-0016533596-c5-74
> > Platform                      Linux dhcp-0016533596-c5-74
> > 2.6.26.6-79.fc9.i686
> >                               #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686
> i686
> > Alert Count                   1
> > First Seen                    Tue Nov  4 10:49:41 2008
> > Last Seen                     Tue Nov  4 10:49:41 2008
> > Local ID                      803e925f-1d6e-4473-9054-dbaf0c0f3abd
> > Line Numbers
> >
> > Raw Audit Messages
> >
> > host=dhcp-0016533596-c5-74 type=AVC msg=audit(1225813781.838:89): avc:
> > denied  { create } for  pid=4956 comm="sshd" name="nichols2"
> > scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:home_root_t:s0 tclass=dir
> >
> > host=dhcp-0016533596-c5-74 type=SYSCALL msg=audit(1225813781.838:89):
> > arch=40000003 syscall=39 success=no exit=-13 a0=b9b4f058 a1=1ed a2=8209e4
> > a3=b9b7d230 items=0 ppid=2341 pid=4956 auid=4294967295 uid=0 gid=0 euid=0
> > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="sshd"
> > exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> key=(null)
> >
> > Thats for an ssh login attempt. I get the same for one via GDM. I've
> tried
> > adding "context=system_r:object_r:home_root_t" when i bind mount the
> /home
> > on /n/home etc, and no luck so far. do I need to relabel /n ? what/how
> > should I? any help would be awesome.
> >
> > Thanks,
> >
> > Matt
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkkQdnUACgkQrlYvE4MpobPlnQCeI054kP0QjzCP1u4X5mr1yD9v
> /jgAoJLJ3lfNDoBwnlk4CcyLyw0s3qdh
> =Ly01
> -----END PGP SIGNATURE-----
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> Guidelines:
> http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20081104/7d86ea09/attachment-0001.htm>

More information about the fedora-list mailing list