Bug 682279

Summary: SELinux is preventing /usr/sbin/sshd from search access on the directory
Product: [Fedora] Fedora Reporter: Enrique <cquike>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 14CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-07 10:00:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Enrique 2011-03-04 17:16:26 UTC 
Description of problem:
 
 I have a ssh server which mounts home directories through nfs. However it doesn't allow to login using publickey authentication. After login the following message appears:
 Could not chdir to home directory /home/user: Permission denied

 However, I then cd /home/user and everything is fine, permissions and all.

 The home is mounted with autofs using the following rule:
*       -fstype=nfs,rw,hard,intr,rsize=2048,wsize=2048,nosuid,nfsvers=3 server:/home/&

 I get the following message in /var/log/messages:
SELinux is preventing /usr/sbin/sshd from search access on the directory .

 Shouldn't the selinux policy allow this common setup scenario by default?
 Cheers


How reproducible:
always

Steps to Reproduce:
1. Configure autofs to mount home remotely
2. Enable ssh server
3. Try to login using publickey authentication
Comment 1 Miroslav Grepl 2011-03-07 10:00:08 UTC 
I believe sealert tells you what to do. You need to turn on the use_nfs_home_dirs boolean.

# setsebool -P use_nfs_home_dirs 1

We don't want to allow it by default.
Comment 2 Enrique 2011-03-07 12:39:50 UTC 
 Thank you very much, it worked.
 Any reason why it is not allowed by default? It is a rather common setup, right?
 Regards
Comment 3 Daniel Walsh 2011-03-07 22:37:32 UTC 
Well not as common as not sharing homedirs with NFS.  When you turn this boolean on, all confined domains that have content in the homedir, suddenly get access to all NFS content.  Not something we want to allow by default.