Bug 598742
Summary: | Selinux prevent local GUI login and drop remote login to / when home dir is not under /home | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Lei Zhou <lzhou5> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 13 | CC: | dwalsh, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-06-02 12:34:33 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lei Zhou
2010-06-01 23:11:58 UTC
The above workaround is flawed. It still did not allow login through authorized_keys. To make this possible, the local policy should be: _________________________________________________________________ module local 1.0; require { type local_login_t; type default_t; type xauth_t; type sshd_t; class dir { search getattr }; } #============= sshd_t ============== allow sshd_t default_t:dir { search getattr }; #============= xauth_t ============== allow xauth_t default_t:dir search; #============= local_login_t ============== allow local_login_t default_t:dir search; __________________________________________________________________ To be noted, the reason I report this self-solved issue as a bug is because of its inconsistencies: a) It did not generate any denial log in /var/log/audit/audit.log, which made the debugging unnecessarily difficult; b) Although it prevented the login process to change dir to user root, and drop user log in point to /, after logged on, user can "cd ~" without any problem. This means that the selinux policies for login process is inconsistent with user shell, like bash or tcsh; c) This issue did not exist in Fedora 12, means that it was created in the development of Fedora 13; d) Up to date, Fedora overnight update did not fix this issue. You need to setup the labeling. # semanage fcontext -a -t home_root_t /data # semanage fcontext -e /home /data/home # restorecon -R -v /data Should fix. Comments: a) Although the fact can be treated "Not a bug", but it IS a bug if selinux does not report this denial in /var/log/audit/audit.log. If it did, I'd not report it here but rather mending it using a local policy as usual. b) Also it IS A BUG of having the login process and bash/tcsh treated differently on directory access. This could raise other issues. As what I know, it also broke my 'ssh node command' requests. c) There is no reason to make such change of having a worked thing in Fedora 12 not-working and say it is NOT A BUG! d) It is virtually improper to relabel /data home_root_t since it does not hold only the home directories. Please reconsider. Or I'd have to report this as several separated bugs of "Selinux does not report denial" etc. Hope to see your reply. Thanks! BTW, I'd say REDHAT had never really seriously considered customer's bug report as expected. They always go the easiest to them solution. I'd say this is why linux still cannot win over Windows. Sigh... (In reply to comment #3) > You need to setup the labeling. > > # semanage fcontext -a -t home_root_t /data > # semanage fcontext -e /home /data/home > # restorecon -R -v /data > > Should fix. This is another attempt that is ignored of trying to help the linux community. Sigh... Ok label /data as usr_t which can be searched by most domains. I would be supprised if this would work under F12 unless you had a custom policy module or labels under /data that allowed the login programs to search. # semanage fcontext -a -t usr_t /data There are potential dontaudit rules that could have blocked one of the allow rules that would have allowed this to work. You can turn off dontaudit rules with semodule -DB and turn them back on with semodule -B In the case of adding allow rules using audit2allow, that would have been a bad solution. Often doing this is the wrong solution. Look at this. http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf A little premature on getting depressed over working with the Linux community... You have a configuration issue, that I can not fix. It is somewhat similar to setting the UID and Permission flags on the contents of the directories. SELinux just wants you to label them correctly. If a directory contains user content, it needs to be labeled as such. Random directories created in / are labeled default_t, and no confined domains are allowed to search through default_t since SELinux does not know what is in those directories. For all it knows it could be credit card data or nuclear secrets... |