| Summary: | sshd_t domain lacking permission to enter fuse mounted home directories | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tyson Whitehead <twhitehead> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 14 | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.9.7-37.fc14 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-03-22 18:51:56 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
The reason for this is ssh-copy-id causes sshd_t to have to write content into those directories, as it would with fuse. Miroslav lets back port the fusefs support from ssh.te and ssh.if in F15. Fixed in selinux-policy-3.9.7-34.fc14 selinux-policy-3.9.7-34.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-34.fc14 selinux-policy-3.9.7-37.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-37.fc14 selinux-policy-3.9.7-37.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: The sshd_t domain does not have the necessary permissions to enter fuse mounted home directories, so when you ssh into the box employing fuse mounted home directories, it drops you out in the root directory. How reproducible: always Steps to Reproduce: 1. setup your system to have fuse mounted home directories via pam_mount 2. set the use_fusefs_home_dirs boolean 3. ssh into your machine Actual results: [user1@host1 ~]$ ssh user2@host2 user2@host2's password: Last login: Sun Jan 23 11:23:48 2011 from host1 Could not chdir to home directory /home/user2: Permission denied [user2@host2 /]$ and the audit log shows type=AVC msg=audit(1295800328.644:35019): avc: denied { search } for pid=10167 comm="sshd" name="/" dev=fuse ino=1 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir Note that the home directory is mounted fine and you can cd into it from the "[user2@host2 /]$" prompt. It's just that sshd cannot enter it. Expected results: [user1@$host1: ~] ssh $user2@$host2 $user2@$host2's password: Last login: Sun Jan 23 11:23:48 2011 from $host1 [$user2@$host2 ~]$ Additional info: To fix this issue, I added the following lines tunable_policy(`use_fusefs_home_dirs',` fs_search_fusefs(sshd_t) ') to the ssh.te file. I also wonder if the companion use_nfs_home_dirs and use_samba_home_dirs lines might be overzealous with mange_{nfs,cifs}_dirs and manage_{nfs,cifs}_files. Could just fs_search_{nfs,cifs} do instead? Cheers! -Tyson