I do not want to disable SELinux at large but only for a directory and its sub-directories.
On Fri, Sep 16, 2016 at 8:31 AM, Eddie G. O'Connor Jr. <eoconnor25@gmail.com
wrote:
Not sure about most others, but I was always told that you never disable Selina. Of course that is in a business/corporate setting. If it's just you at home with a few servers? Then yeah I guess disabling it would be the "quickest" route around this problem. On Sep 16, 2016 8:25 AM, Bernard Fay bernard.fay@gmail.com wrote:
Hello everyone,
I have a problem with oddjob_mkhomedir on a NFS mount point. The actual context is nfs_t
drwxr-xr-x. root root system_u:object_r:nfs_t:s0 users/
With this type, oddjob_mkhomedir cannot do is job of creating home user directories.
In the logs, I found about creating a new module with audi2allow and semodule:
[root@ audit]# sealert -l fe2d7f60-d3ff-405b-b518-38d0cf021598 X11 connection rejected because of wrong authentication. SELinux is preventing /usr/libexec/oddjob/mkhomedir from setattr access
on
the file .bash_logout.
***** Plugin catchall_boolean (89.3 confidence) suggests
If you want to allow use to nfs home dirs Then you must tell SELinux about this by enabling the 'use_nfs_home_dirs' boolean. You can read 'None' man page for more details. Do setsebool -P use_nfs_home_dirs 1
***** Plugin catchall (11.6 confidence) suggests
If you believe that mkhomedir should be allowed setattr access on the .bash_logout file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mkhomedir /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c102 3 Target Context system_u:object_r:nfs_t:s0 Target Objects .bash_logout [ file ] Source mkhomedir Source Path /usr/libexec/oddjob/mkhomedir Port <Unknown> Host Source RPM Packages oddjob-mkhomedir-0.31.5-4.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name Platform Linux 3.10.0-327.28.3.el7.x86_64 #1 SMP Thu Aug 18 19:05:49 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-09-15 15:12:48 EDT Last Seen 2016-09-15 15:12:48 EDT Local ID fe2d7f60-d3ff-405b-b518-38d0cf021598
Raw Audit Messages type=AVC msg=audit(1473966768.233:9091): avc: denied { setattr } for pid=28565 comm="mkhomedir" name=".bash_logout" dev="0:40" ino=1048581 scontext=system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file
type=SYSCALL msg=audit(1473966768.233:9091): arch=x86_64 syscall=fchown success=yes exit=0 a0=5 a1=2710 a2=2714 a3=5f7269645f656d6f items=0 ppid=1037 pid=28565 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mkhomedir exe=/usr/libexec/oddjob/mkhomedir subj=system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 key=(null)
Hash: mkhomedir,oddjob_mkhomedir_t,nfs_t,file,setattr
I then created the module and the te file says this:
[root@ selinux]# cat mkhomedir_nfs.te
module mkhomedir_nfs 1.0;
require { type oddjob_mkhomedir_t; type nfs_t; class file { write create open setattr }; class dir { write create add_name setattr }; }
#============= oddjob_mkhomedir_t ==============
#!!!! This avc is allowed in the current policy allow oddjob_mkhomedir_t nfs_t:dir { write create add_name setattr };
#!!!! This avc is allowed in the current policy allow oddjob_mkhomedir_t nfs_t:file { write create open setattr };
Reading this output, I thought I had to add the context
oddjob_mkhomedir_t to
the users directory but I got another problem:
[root@ home]# semanage fcontext -a -t oddjob_mkhomedir_t "./users" ValueError: Type oddjob_mkhomedir_t is invalid, must be a file or device type
What I do wrong?
In the other hand, is it possible to disable SELinux to a directory and
all
is subdirectories?
Thanks, Bernard _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-
Bernard Fay