-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Nicholson wrote: > So, I have an environment, where we pull user data/auth from ldap/kerberos > for a bunch of fedora workstations. I would love to have selinux turned on > on these, but, right now it jsut doesn't work with our setup. > > See, your users home directories are in a few different places. for the most > part, LDAP think their home is at /n/home, or /n/data/home. So, i have /home > bind mounted to those locations, and, sith selinux off, its all nice and > happy. Another weird thing, is that /home is local on these workstations, so > when a user sits at a workstation for the first time, an empty homedir must > be created. We hope to move to nfs /home soon, but not yet. > Can you look at using pam_oddjob_mkhomedir rather then pam_mkhomedir yum install oddjob\* Should fix the problem. > once i turn it on, however, users cannot log in, and the home directoies > cannot be created. I get selinux messages like: > > Summary: > > SELinux is preventing sshd (sshd_t) "create" to ./nichols2 (home_root_t). > > Detailed Description: > > SELinux denied access requested by sshd. It is not expected that this access > is > required by sshd and this access may signal an intrusion attempt. It is also > possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. You could try to > restore > the default system file context for ./nichols2, > > restorecon -v './nichols2' > > If this does not work, there is currently no automatic way to allow this > access. > Instead, you can generate a local policy module to allow this access - see > FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 > Target Context system_u:object_r:home_root_t:s0 > Target Objects ./nichols2 [ dir ] > Source sshd > Source Path /usr/sbin/sshd > Port <Unknown> > Host dhcp-0016533596-c5-74 > Source RPM Packages openssh-server-5.1p1-2.fc9 > Target RPM Packages > Policy RPM selinux-policy-3.3.1-103.fc9 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name dhcp-0016533596-c5-74 > Platform Linux dhcp-0016533596-c5-74 > 2.6.26.6-79.fc9.i686 > #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686 > Alert Count 1 > First Seen Tue Nov 4 10:49:41 2008 > Last Seen Tue Nov 4 10:49:41 2008 > Local ID 803e925f-1d6e-4473-9054-dbaf0c0f3abd > Line Numbers > > Raw Audit Messages > > host=dhcp-0016533596-c5-74 type=AVC msg=audit(1225813781.838:89): avc: > denied { create } for pid=4956 comm="sshd" name="nichols2" > scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:home_root_t:s0 tclass=dir > > host=dhcp-0016533596-c5-74 type=SYSCALL msg=audit(1225813781.838:89): > arch=40000003 syscall=39 success=no exit=-13 a0=b9b4f058 a1=1ed a2=8209e4 > a3=b9b7d230 items=0 ppid=2341 pid=4956 auid=4294967295 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" > exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) > > Thats for an ssh login attempt. I get the same for one via GDM. I've tried > adding "context=system_r:object_r:home_root_t" when i bind mount the /home > on /n/home etc, and no luck so far. do I need to relabel /n ? what/how > should I? any help would be awesome. > > Thanks, > > Matt > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkQdnUACgkQrlYvE4MpobPlnQCeI054kP0QjzCP1u4X5mr1yD9v /jgAoJLJ3lfNDoBwnlk4CcyLyw0s3qdh =Ly01 -----END PGP SIGNATURE----- -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
