Re: selinux question(s) (/home really = /n/home..)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Right, that did it (after i started the oddjobd service, that is).

Now, the original reason i turned selinux back on was to use xguest....saddly, this isn't working still...

On Tue, Nov 4, 2008 at 11:21 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matt Nicholson wrote:
> So, I have an environment, where we pull user data/auth from ldap/kerberos
> for a bunch of fedora workstations. I would love to have selinux turned on
> on these, but, right now it jsut doesn't work with our setup.
>
> See, your users home directories are in a few different places. for the most
> part, LDAP think their home is at /n/home, or /n/data/home. So, i have /home
> bind mounted to those locations, and, sith selinux off, its all nice and
> happy. Another weird thing, is that /home is local on these workstations, so
> when a user sits at a workstation for the first time, an empty homedir must
> be created. We hope to move to nfs /home soon, but not yet.
>
Can you look at using pam_oddjob_mkhomedir rather then pam_mkhomedir

yum install oddjob\*

Should fix the problem.

> once i turn it on, however, users cannot log in, and the home directoies
> cannot be created. I get selinux messages like:
>
> Summary:
>
> SELinux is preventing sshd (sshd_t) "create" to ./nichols2 (home_root_t).
>
> Detailed Description:
>
> SELinux denied access requested by sshd. It is not expected that this access
> is
> required by sshd and this access may signal an intrusion attempt. It is also
> possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore
> the default system file context for ./nichols2,
>
> restorecon -v './nichols2'
>
> If this does not work, there is currently no automatic way to allow this
> access.
> Instead, you can generate a local policy module to allow this access - see
> FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
> Target Context                system_u:object_r:home_root_t:s0
> Target Objects                ./nichols2 [ dir ]
> Source                        sshd
> Source Path                   /usr/sbin/sshd
> Port                          <Unknown>
> Host                          dhcp-0016533596-c5-74
> Source RPM Packages           openssh-server-5.1p1-2.fc9
> Target RPM Packages
> Policy RPM                    selinux-policy-3.3.1-103.fc9
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall_file
> Host Name                     dhcp-0016533596-c5-74
> Platform                      Linux dhcp-0016533596-c5-74
> 2.6.26.6-79.fc9.i686
>                               #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686
> Alert Count                   1
> First Seen                    Tue Nov  4 10:49:41 2008
> Last Seen                     Tue Nov  4 10:49:41 2008
> Local ID                      803e925f-1d6e-4473-9054-dbaf0c0f3abd
> Line Numbers
>
> Raw Audit Messages
>
> host=dhcp-0016533596-c5-74 type=AVC msg=audit(1225813781.838:89): avc:
> denied  { create } for  pid=4956 comm="sshd" name="nichols2"
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:home_root_t:s0 tclass=dir
>
> host=dhcp-0016533596-c5-74 type=SYSCALL msg=audit(1225813781.838:89):
> arch=40000003 syscall=39 success=no exit=-13 a0=b9b4f058 a1=1ed a2=8209e4
> a3=b9b7d230 items=0 ppid=2341 pid=4956 auid=4294967295 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd"
> exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
>
> Thats for an ssh login attempt. I get the same for one via GDM. I've tried
> adding "context=system_r:object_r:home_root_t" when i bind mount the /home
> on /n/home etc, and no luck so far. do I need to relabel /n ? what/how
> should I? any help would be awesome.
>
> Thanks,
>
> Matt
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkQdnUACgkQrlYvE4MpobPlnQCeI054kP0QjzCP1u4X5mr1yD9v
/jgAoJLJ3lfNDoBwnlk4CcyLyw0s3qdh
=Ly01
-----END PGP SIGNATURE-----

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux