[CentOS] SELinux module

Fri Sep 16 12:33:55 UTC 2016
Bernard Fay <bernard.fay at gmail.com>

I do not want to disable SELinux at large but only for a directory and its
sub-directories.


On Fri, Sep 16, 2016 at 8:31 AM, Eddie G. O'Connor Jr. <eoconnor25 at gmail.com
> wrote:

> Not sure about most others,  but I was always told that you never disable
> Selina.  Of course that is in a business/corporate setting.  If it's just
> you at home with a few servers?  Then yeah I guess disabling it would be
> the "quickest" route around this problem. On Sep 16, 2016 8:25 AM, Bernard
> Fay <bernard.fay at gmail.com> wrote:
> >
> > Hello everyone,
> >
> > I have a problem with oddjob_mkhomedir on a NFS mount point. The actual
> > context is nfs_t
> >
> > drwxr-xr-x. root root system_u:object_r:nfs_t:s0       users/
> >
> >
> > With this type, oddjob_mkhomedir cannot do is job of creating home user
> > directories.
> >
> > In the logs, I found about creating a new module with audi2allow and
> > semodule:
> >
> > [root@ audit]# sealert -l fe2d7f60-d3ff-405b-b518-38d0cf021598
> > X11 connection rejected because of wrong authentication.
> > SELinux is preventing /usr/libexec/oddjob/mkhomedir from setattr access
> on
> > the file .bash_logout.
> >
> > *****  Plugin catchall_boolean (89.3 confidence) suggests
> > ******************
> >
> > If you want to allow use to nfs home dirs
> > Then you must tell SELinux about this by enabling the 'use_nfs_home_dirs'
> > boolean.
> > You can read 'None' man page for more details.
> > Do
> > setsebool -P use_nfs_home_dirs 1
> >
> > *****  Plugin catchall (11.6 confidence) suggests
> > **************************
> >
> > If you believe that mkhomedir should be allowed setattr access on the
> > .bash_logout file by default.
> > Then you should report this as a bug.
> > You can generate a local policy module to allow this access.
> > Do
> > allow this access for now by executing:
> > # grep mkhomedir /var/log/audit/audit.log | audit2allow -M mypol
> > # semodule -i mypol.pp
> >
> >
> > Additional Information:
> > Source Context
> > system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c102
> >                               3
> > Target Context                system_u:object_r:nfs_t:s0
> > Target Objects                .bash_logout [ file ]
> > Source                        mkhomedir
> > Source Path                   /usr/libexec/oddjob/mkhomedir
> > Port                          <Unknown>
> > Host
> > Source RPM Packages           oddjob-mkhomedir-0.31.5-4.el7.x86_64
> > Target RPM Packages
> > Policy RPM                    selinux-policy-3.13.1-60.el7_2.7.noarch
> > Selinux Enabled               True
> > Policy Type                   targeted
> > Enforcing Mode                Permissive
> > Host Name
> > Platform                      Linux 3.10.0-327.28.3.el7.x86_64 #1 SMP
> >                               Thu Aug 18 19:05:49 UTC 2016 x86_64 x86_64
> > Alert Count                   1
> > First Seen                    2016-09-15 15:12:48 EDT
> > Last Seen                     2016-09-15 15:12:48 EDT
> > Local ID                      fe2d7f60-d3ff-405b-b518-38d0cf021598
> >
> > Raw Audit Messages
> > type=AVC msg=audit(1473966768.233:9091): avc:  denied  { setattr } for
> > pid=28565 comm="mkhomedir" name=".bash_logout" dev="0:40" ino=1048581
> > scontext=system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:nfs_t:s0 tclass=file
> >
> >
> > type=SYSCALL msg=audit(1473966768.233:9091): arch=x86_64 syscall=fchown
> > success=yes exit=0 a0=5 a1=2710 a2=2714 a3=5f7269645f656d6f items=0
> > ppid=1037 pid=28565 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mkhomedir
> > exe=/usr/libexec/oddjob/mkhomedir
> > subj=system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 key=(null)
> >
> > Hash: mkhomedir,oddjob_mkhomedir_t,nfs_t,file,setattr
> >
> >
> >
> > I then created the module and the te file says this:
> >
> > [root@ selinux]# cat mkhomedir_nfs.te
> >
> > module mkhomedir_nfs 1.0;
> >
> > require {
> >     type oddjob_mkhomedir_t;
> >     type nfs_t;
> >     class file { write create open setattr };
> >     class dir { write create add_name setattr };
> > }
> >
> > #============= oddjob_mkhomedir_t ==============
> >
> > #!!!! This avc is allowed in the current policy
> > allow oddjob_mkhomedir_t nfs_t:dir { write create add_name setattr };
> >
> > #!!!! This avc is allowed in the current policy
> > allow oddjob_mkhomedir_t nfs_t:file { write create open setattr };
> >
> >
> > Reading this output, I thought I had to add the context
> oddjob_mkhomedir_t to
> > the users directory but I got another problem:
> >
> > [root@ home]# semanage fcontext -a -t oddjob_mkhomedir_t "./users"
> > ValueError: Type oddjob_mkhomedir_t is invalid, must be a file or device
> > type
> >
> >
> > What I do wrong?
> >
> > In the other hand, is it possible to disable SELinux to a directory and
> all
> > is subdirectories?
> >
> > Thanks,
> > Bernard
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > https://lists.centos.org/mailman/listinfo/centos
>