pam_mkhomedirs
Daniel J Walsh
dwalsh at redhat.com
Mon Mar 2 17:11:58 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rob Crittenden wrote:
> An IPA user reported this on our mailing list. He's getting SELinux
> permission failures from pam_mkhomedirs when he's trying to log into a
> machine for the first time as a user.
>
> Is there an existing way to configure a system to handle this?
>
> thanks
>
> rob
>
>
> ------------------------------------------------------------------------
>
> Subject:
> Re: [Freeipa-users] new freeipa user
> From:
> Natxo Asenjo <natxo.asenjo at gmail.com>
> Date:
> Thu, 26 Feb 2009 16:09:01 +0100
> To:
> freeipa-users at redhat.com
>
> To:
> freeipa-users at redhat.com
>
>
> On Thu, Feb 26, 2009 at 4:20 AM, Rob Crittenden <rcritten at redhat.com> wrote:
>> Natxo Asenjo wrote:
>
>>> I have so far only run into a problem and that is the auto creation of
>>> home dirs on the firs login. I used the authenthication configuration
>>> gui from fedora10 on the ipaclient and checked the option to
>>> auto-create homedirs but that doesn't work. There is a selinux error:
>>>
>>> Feb 25 23:28:47 ipaclient01 setroubleshoot: SELinux is preventing sshd
>>> (sshd_t) "write" to ./home (home_root_t). For complete SELinux
>>> messages. run sealert -l 2f194ec1-0764-48b0-b66c-d84734105283
>>> apparently the pam_mkhomedir.so is not allowed to work with selinux.
>>> Any workarounds?
>> It would be helpful to see the sealert output for this error. We may be able
>> to include a generic fix in IPA, or pass this by the SELinux guys to see
>> what they think.
>
> ok, the output of sealert -l 2f194ec1-0764-48b0-b66c-d84734105283
>
> Summary:
>
> SELinux is preventing sshd (sshd_t) "write" to ./home (home_root_t).
>
> Detailed Description:
>
> SELinux denied access requested by sshd. The current boolean settings do not
> allow this access. If you have not setup sshd to require this access this may
> signal an intrusion attempt. If you do intend this access you need to change the
> booleans on this system to allow the access.
>
> Allowing Access:
>
> Confined processes can be configured to to run requiring different access,
> SELinux provides booleans to allow you to turn on/off access as needed. The
> boolean allow_polyinstantiation is set incorrectly.
> Boolean Description:
> Allow login programs to use polyinstantiated directories.
>
>
> Fix Command:
> # setsebool -P allow_polyinstantiation 1
>
> Additional Information:
>
> Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023
> Target Context system_u:object_r:home_root_t:s0
> Target Objects ./home [ dir ]
> Source sshd
> Source Path /usr/sbin/sshd
> Port <Unknown>
> Host ipaclient01.virtual.local
> Source RPM Packages openssh-server-5.1p1-3.fc10
> Target RPM Packages filesystem-2.4.19-1.fc10
> Policy RPM selinux-policy-3.5.13-45.fc10
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall_boolean
> Host Name ipaclient01.virtual.local
> Platform Linux ipaclient01.virtual.local
> 2.6.27.15-170.2.24.fc10.x86_64 #1 SMP Wed Feb 11
> 23:14:31 EST 2009 x86_64 x86_64
> Alert Count 1
> First Seen Wed Feb 25 23:28:47 2009
> Last Seen Wed Feb 25 23:28:47 2009
> Local ID 2f194ec1-0764-48b0-b66c-d84734105283
> Line Numbers
>
> Raw Audit Messages
>
> node=ipaclient01.virtual.local type=AVC msg=audit(1235600927.386:53): avc: deni
> ed { write } for pid=3055 comm="sshd" name="home" dev=dm-0 ino=211745 scontext
> =system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:
> s0 tclass=dir
>
> node=ipaclient01.virtual.local type=SYSCALL msg=audit(1235600927.386:53): arch=c
> 000003e syscall=83 success=no exit=-13 a0=173bd66 a1=1ed a2=21 a3=6a6e657361632f
> 65 items=0 ppid=1870 pid=3055 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd"
> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
>
>
> so I run:
> # setsebool -P allow_polyinstantiation 1
>
> And next time I tried login on the console through gdm:
>
> Feb 26 15:41:53 ipaclient01 setroubleshoot: SELinux is preventing gdm-session-wo
> r (xdm_t) "write" to ./home (home_root_t). For complete SELinux messages. run se
> alert -l cf03e02d-4bdd-484d-bf6f-d70c553bdab8
>
> running sealert -l cf03e02d-4bdd-484d-bf6f-d70c553bdab8 provides a
> similar output but one substitutes sshd for gdm als source, obviously.
>
> There is another SElinux error in the log:
>
> Feb 26 15:46:34 ipaclient01 setroubleshoot: SELinux is preventing gdm-session-wo
> r (xdm_t) "create" to ./casenjo (home_root_t). For complete SELinux messages. ru
> n sealert -l a104e0b3-0dc4-4dc7-ba6a-494b7ca070de
>
> Summary:
>
> SELinux is preventing gdm-session-wor (xdm_t) "create" to ./casenjo
> (home_root_t).
>
> Detailed Description:
>
> SELinux denied access requested by gdm-session-wor. It is not expected that this
> access is required by gdm-session-wor and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> Sometimes labeling problems can cause SELinux denials. You could try to restore
> the default system file context for ./casenjo,
>
> restorecon -v './casenjo'
>
> If this does not work, there is currently no automatic way to allow this access.
> Instead, you can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
> Target Context system_u:object_r:home_root_t:s0
> Target Objects ./casenjo [ dir ]
> Source gdm-session-wor
> Source Path /usr/libexec/gdm-session-worker
> Port <Unknown>
> Host ipaclient01.virtual.local
> Source RPM Packages gdm-2.24.0-12.fc10
> Target RPM Packages
> Policy RPM selinux-policy-3.5.13-45.fc10
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall_file
> Host Name ipaclient01.virtual.local
> Platform Linux ipaclient01.virtual.local
> 2.6.27.15-170.2.24.fc10.x86_64 #1 SMP Wed Feb 11
> 23:14:31 EST 2009 x86_64 x86_64
> Alert Count 1
> First Seen Thu Feb 26 15:46:32 2009
> Last Seen Thu Feb 26 15:46:32 2009
> Local ID a104e0b3-0dc4-4dc7-ba6a-494b7ca070de
> Line Numbers
>
> Raw Audit Messages
>
> node=ipaclient01.virtual.local type=AVC msg=audit(1235659592.554:36): avc: deni
> ed { create } for pid=4301 comm="gdm-session-wor" name="casenjo" scontext=syst
> em_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tcl
> ass=dir
>
> node=ipaclient01.virtual.local type=SYSCALL msg=audit(1235659592.554:36): arch=c
> 000003e syscall=83 success=no exit=-13 a0=7f577ce13bb6 a1=1ed a2=21 a3=810101010
> 1010100 items=0 ppid=4174 pid=4301 auid=1100 uid=0 gid=1002 euid=0 suid=0 fsuid=
> 0 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4 comm="gdm-session-wor" exe="/u
> sr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(
> null)
>
>
> This time I cannot run restorecon -v './casenjo' because the folder
> ./casenjo simply does not exist., neither gdm nor sshd could
> autocreate them.
>
> I'd very much rather that selinux stayed enabled, obviously.
>
> Hope the output of sealert is helpful to you guys.
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Yes tell him don't use it? :^)
A better option is oddjob-mkhomedir
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmsE10ACgkQrlYvE4MpobMRZwCfSKhiJ4+6kGrYb+PHzri9iF0+
AYUAn2n5gGACqcgf03UiKA2Iiu1bX6uv
=u7+b
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list