Bug 669933

Summary: Default policy doesn't allow NFS home directories
Product: [Fedora] Fedora Reporter: Tethys <sta040>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-26 20:41:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Tethys 2011-01-15 22:53:22 UTC 
Description of problem:
Install F14 with authentication via NIS, and home directories mounted
via NFS. SELinux prevents remote logins.

Trivial to work around with "setsebool -P use_nfs_home_dirs 1", but I
shouldn't need to do this. If the user has configured remote authentication,
the chances that they're using NFS home directories are very high. The
default policy should allow it if remote authentication is configured.
Or at the very least, ask at install time if NFS home directories are
going to be used. Maybe this should be an anaconda bug?

Version-Release number of selected component (if applicable):
selinux-policy-3.9.7-19.fc14.noarch

How reproducible:
Every time

Steps to Reproduce:
1. Install F14
2. Configure NIS authentication
3. Mount NFS home directories
4. ssh to F14 machine from elsewhere
  
Actual results:
setroubleshoot: SELinux is preventing /usr/sbin/sshd from search access on the directory .

Expected results:
Login

Additional info:
Comment 1 Daniel Walsh 2011-01-17 17:44:57 UTC 
There is really  know way for us to know.  Since you could simply add 

remote:/home /home 

To /etc/fstab.

The type of authentication has no baring on whether or not you are using nfs homedirs.
Comment 2 Tethys 2011-01-18 08:16:13 UTC 
Oh, I agree there's no guaranteed way to tell. But remote authentication
is a very strong hint. At the very least, the installer should be asking
if you're using NFS home directories and setting up SELinux appropriately.

Just having it fail out of the box isn't really a viable option IMHO.
Comment 3 Daniel Walsh 2011-01-18 15:15:04 UTC 
But the installer did nothing about setting up nfs homedirs, it was done by the admin, and the admin should be responsible for configuring the machine.  Just like he would need to handle coordinating the UID MAPS.  I agree if there was a tool system-config-nfs then this should be done.  Maybe we could put better docs in NFS somewhere.  But I don't see this as an anaconda bug and saying it is broken out of the box when anaconda did not setup the NFS homedirs, is just wrong.