Bug 598742
| Summary: | Selinux prevent local GUI login and drop remote login to / when home dir is not under /home | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Lei Zhou <lzhou5> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 13 | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-06-02 12:34:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The above workaround is flawed. It still did not allow login through authorized_keys. To make this possible, the local policy should be:
_________________________________________________________________
module local 1.0;
require {
type local_login_t;
type default_t;
type xauth_t;
type sshd_t;
class dir { search getattr };
}
#============= sshd_t ==============
allow sshd_t default_t:dir { search getattr };
#============= xauth_t ==============
allow xauth_t default_t:dir search;
#============= local_login_t ==============
allow local_login_t default_t:dir search;
__________________________________________________________________
To be noted, the reason I report this self-solved issue as a bug is because of its inconsistencies:
a) It did not generate any denial log in /var/log/audit/audit.log, which made the debugging unnecessarily difficult;
b) Although it prevented the login process to change dir to user root, and drop user log in point to /, after logged on, user can "cd ~" without any problem. This means that the selinux policies for login process is inconsistent with user shell, like bash or tcsh;
c) This issue did not exist in Fedora 12, means that it was created in the development of Fedora 13;
d) Up to date, Fedora overnight update did not fix this issue.
You need to setup the labeling. # semanage fcontext -a -t home_root_t /data # semanage fcontext -e /home /data/home # restorecon -R -v /data Should fix. Comments: a) Although the fact can be treated "Not a bug", but it IS a bug if selinux does not report this denial in /var/log/audit/audit.log. If it did, I'd not report it here but rather mending it using a local policy as usual. b) Also it IS A BUG of having the login process and bash/tcsh treated differently on directory access. This could raise other issues. As what I know, it also broke my 'ssh node command' requests. c) There is no reason to make such change of having a worked thing in Fedora 12 not-working and say it is NOT A BUG! d) It is virtually improper to relabel /data home_root_t since it does not hold only the home directories. Please reconsider. Or I'd have to report this as several separated bugs of "Selinux does not report denial" etc. Hope to see your reply. Thanks! BTW, I'd say REDHAT had never really seriously considered customer's bug report as expected. They always go the easiest to them solution. I'd say this is why linux still cannot win over Windows. Sigh... (In reply to comment #3) > You need to setup the labeling. > > # semanage fcontext -a -t home_root_t /data > # semanage fcontext -e /home /data/home > # restorecon -R -v /data > > Should fix. This is another attempt that is ignored of trying to help the linux community. Sigh... Ok label /data as usr_t which can be searched by most domains. I would be supprised if this would work under F12 unless you had a custom policy module or labels under /data that allowed the login programs to search. # semanage fcontext -a -t usr_t /data There are potential dontaudit rules that could have blocked one of the allow rules that would have allowed this to work. You can turn off dontaudit rules with semodule -DB and turn them back on with semodule -B In the case of adding allow rules using audit2allow, that would have been a bad solution. Often doing this is the wrong solution. Look at this. http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf A little premature on getting depressed over working with the Linux community... You have a configuration issue, that I can not fix. It is somewhat similar to setting the UID and Permission flags on the contents of the directories. SELinux just wants you to label them correctly. If a directory contains user content, it needs to be labeled as such. Random directories created in / are labeled default_t, and no confined domains are allowed to search through default_t since SELinux does not know what is in those directories. For all it knows it could be credit card data or nuclear secrets... |
Description of problem: I have several fedora boxes in a cluster. The home directory is mounted under /data as /data/home from a nfs share. There is a link under / named /home -> /data/home. It was all normal when it was Fedora 12. However, when I upgraded them into Fedora 13, I could nolonger log in local GUI, and the remote login dropped me to / since it could not change dir to /home/userroot. However, when I logged in remotely, I could cd ~ with no problem. When I do 'setenforce 0', everything is back to normal. So this must be a selinux policy issue. To be noted, setsebool -P use_nfs_home_dirs=1 has been done to allow using nfs volume as home dir. Unfortunately, I tried audit2allow -m local -l -i /var/log/audit/audit.log but it returned nothing. This means that this bug cannot be fixed by the standard way. After some thinking and tries, I found that it was the /data stage, which has a default_t attribute, prevented sshd, xauth, and local_login from going through it to the actual home directory. My current work around is to use the following local.te file module local 1.0; require { type local_login_t; type default_t; type xauth_t; type sshd_t; class dir search; } #============= sshd_t ============== allow sshd_t default_t:dir search; #============= xauth_t ============== allow xauth_t default_t:dir search; #============= local_login_t ============== allow local_login_t default_t:dir search; By inserting this into the selinux policy by running checkmodule -M -m -o local.mod local.te semodule_package -o local.pp -m local.mod semodule -i local.pp this issue is solved. Version-Release number of selected component (if applicable): Fedora 13 How reproducible: Always Steps to Reproduce: 1.mkdir /data; mkdir /data/home; mount your_nfs_home /data/home; ln -s /data/home /home 2.make sure ls -Z / | grep data returns something like drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 data 3.try local and remote login Actual results: Cannot do local GUI login, and remote login dropped to / without the workaround. Expected results: Local GUI login and remote login are normal without the workaround. Additional info: