Hello everyone,
I have a problem with oddjob_mkhomedir on a NFS mount point. The actual
context is nfs_t
drwxr-xr-x. root root system_u:object_r:nfs_t:s0 users/
With this type, oddjob_mkhomedir cannot do is job of creating home user
directories.
In the logs, I found about creating a new module with audi2allow and
semodule:
[root@ audit]# sealert -l fe2d7f60-d3ff-405b-b518-38d0cf021598
X11 connection rejected because of wrong authentication.
SELinux is preventing /usr/libexec/oddjob/mkhomedir from setattr access on
the file .bash_logout.
***** Plugin catchall_boolean (89.3 confidence) suggests
******************
If you want to allow use to nfs home dirs
Then you must tell SELinux about this by enabling the 'use_nfs_home_dirs'
boolean.
You can read 'None' man page for more details.
Do
setsebool -P use_nfs_home_dirs 1
***** Plugin catchall (11.6 confidence) suggests
**************************
If you believe that mkhomedir should be allowed setattr access on the
.bash_logout file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mkhomedir /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context
system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c102
3
Target Context system_u:object_r:nfs_t:s0
Target Objects .bash_logout [ file ]
Source mkhomedir
Source Path /usr/libexec/oddjob/mkhomedir
Port <Unknown>
Host
Source RPM Packages oddjob-mkhomedir-0.31.5-4.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-60.el7_2.7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name
Platform Linux 3.10.0-327.28.3.el7.x86_64 #1 SMP
Thu Aug 18 19:05:49 UTC 2016 x86_64 x86_64
Alert Count 1
First Seen 2016-09-15 15:12:48 EDT
Last Seen 2016-09-15 15:12:48 EDT
Local ID fe2d7f60-d3ff-405b-b518-38d0cf021598
Raw Audit Messages
type=AVC msg=audit(1473966768.233:9091): avc: denied { setattr } for
pid=28565 comm="mkhomedir" name=".bash_logout" dev="0:40" ino=1048581
scontext=system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c1023
tcontext=system_u:object_r:nfs_t:s0 tclass=file
type=SYSCALL msg=audit(1473966768.233:9091): arch=x86_64 syscall=fchown
success=yes exit=0 a0=5 a1=2710 a2=2714 a3=5f7269645f656d6f items=0
ppid=1037 pid=28565 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mkhomedir
exe=/usr/libexec/oddjob/mkhomedir
subj=system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 key=(null)
Hash: mkhomedir,oddjob_mkhomedir_t,nfs_t,file,setattr
I then created the module and the te file says this:
[root@ selinux]# cat mkhomedir_nfs.te
module mkhomedir_nfs 1.0;
require {
type oddjob_mkhomedir_t;
type nfs_t;
class file { write create open setattr };
class dir { write create add_name setattr };
}
#============= oddjob_mkhomedir_t ==============
#!!!! This avc is allowed in the current policy
allow oddjob_mkhomedir_t nfs_t:dir { write create add_name setattr };
#!!!! This avc is allowed in the current policy
allow oddjob_mkhomedir_t nfs_t:file { write create open setattr };
Reading this output, I thought I had to add the context oddjob_mkhomedir_t to
the users directory but I got another problem:
[root@ home]# semanage fcontext -a -t oddjob_mkhomedir_t "./users"
ValueError: Type oddjob_mkhomedir_t is invalid, must be a file or device
type
What I do wrong?
In the other hand, is it possible to disable SELinux to a directory and all
is subdirectories?
Thanks,
Bernard