Bug 292601

Summary: (CRON) chdir(HOME) failed: (Permission denied)
Product: [Fedora] Fedora Reporter: Paul Pluzhnikov <paul>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: medium    
Version: 8CC: mwang
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-30 19:20:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Pluzhnikov 2007-09-16 20:52:56 UTC 
Description of problem:

This bug has almost exact duplicate symptoms of Bug 246396,
but the root cause (I believe) is SELinux policy.

Version-Release number of selected component (if applicable):
vixie-cron-4.2-2.fc8
selinux-policy-targeted-3.0.7-5.fc8
selinux-policy-3.0.7-5.fc8

How reproducible:
Aways.

Steps to Reproduce:
1. Create a user with NFS-mounted $HOME

   In my case the user is also NIS-only; i.e. no local /etc/passwd entry.
   Also, im my case user's (NFS) home directory is /home/server/username

2. Create cron job for said user.
  
Actual results:

Cron job does not run.

/var/log/cron:

Sep 16 13:34:01 devel33 crond[18223]: (CRON) chdir(HOME) failed: (Permission denied)
Sep 16 13:34:01 devel33 crond[18223]: (CRON) /home/camel7/devtest (Permission
denied)
Sep 16 13:34:01 devel33 crond[18223]: CRON (devtest) ERROR: failed to open PAM
security session: Permission denied

/var/log/audit/audit.log:
type=USER_ACCT msg=audit(1189974841.722:447): user pid=18223 uid=0 auid=0
subj=root:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct=devtest
exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=AVC msg=audit(1189974841.724:448): avc:  denied  { search } for  pid=18223
comm="crond" name="" dev=0:18 ino=2
scontext=root:system_r:crond_t:s0-s0:c0.c1023
tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1189974841.724:448): arch=c000003e syscall=80 success=no
exit=-13 a0=699855 a1=699990 a2=0 a3=0 items=0 ppid=18217 pid=18223 auid=0
uid=249 gid=100 euid=249 suid=249 fsuid=249 egid=100 sgid=100 fsgid=100
tty=(none) comm="crond" exe="/usr/sbin/crond"
subj=root:system_r:crond_t:s0-s0:c0.c1023 key=(null)

Expected results:
cron job executes

Additional info:
Comment 1 Daniel Walsh 2007-09-17 17:38:50 UTC 
Fixed in selinux-policy-3.0.8-1.fc8
Comment 2 Paul Pluzhnikov 2007-09-17 21:25:38 UTC 
Apparently the exact same problem also affects sshd:

$ ssh devel34
paul's password: 
Authentication successful.
Last login: Mon Sep 17 07:18:04 2007 from buffalo.parasoft.com
Could not chdir to home directory /home/camel1/paul: Permission denied
-bash-3.2$ pwd
/
-bash-3.2$ cd 
-bash-3.2$ pwd
/home/camel1/paul
-bash-3.2$ 


Above, bash could chdir($HOME), but sshd can't 
(so bash starts in the wrong place).

From audit.log:
type=SYSCALL msg=audit(1190039032.385:68): arch=40000003 syscall=12 success=no
exit=-13 a0=b9c137f0 a1=ffffff7c a2=b7ff7904 a3=b9c12f28 items=0 ppid=18353
pid=18354 auid=161 uid=161 gid=100 euid=161 suid=161 fsuid=161 egid=100 sgid=100
fsgid=100 tty=pts1 comm="sshd" exe="/usr/sbin/sshd"
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
Comment 3 Daniel Walsh 2007-09-18 15:04:23 UTC 
This is not an AVC message,

Do you have the use_nfs_home_dirs boolean turned on.

setsebool -P use_nfs_home_dirs=1
Comment 4 Paul Pluzhnikov 2007-09-18 15:52:01 UTC 
(In reply to comment #3)

> setsebool -P use_nfs_home_dirs=1

That cures it, thanks.
Comment 5 Michael Wang 2007-11-24 05:16:51 UTC 
The problem is not limited to nfs home dirs, but local file system
other than root file system (/). For example, /boot/test where /boot
is a separate file system.

The problem occurs with ssh, and the mingetty.

The problem can not be cured by setsebool -P use_nfs_home_dirs=1.
The only cure I found is to disable selinux.
Comment 6 Daniel Walsh 2007-12-18 15:31:41 UTC 
What avc messages are you seeing when this happens?
Comment 7 Daniel Walsh 2008-01-30 19:20:39 UTC 
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.