| Summary: | SELinux is preventing /usr/sbin/sshd from 'search' accesses on the directory /afs. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Daniel Scott <dan> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:25c1123345dbc71bf0927600fd41b2a4b263e2b40e31e6caf9c3902c418e31a9 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-06-03 20:58:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Daniel are you using AFS for your homedirs? For some users, yes. For my user, I have a local homedir, and symlinks to my AFS user directory. ~/.bashrc, ~/.bash_profile and ~/.ssh are symlinked to AFS, which could be causing the problem? Yes turn on the boolean and then you should be alright. If you want to support NFS home directories Then you must tell SELinux about this by enabling the 'use_nfs_home_dirs' boolean. Do setsebool -P use_nfs_home_dirs 1 OK, thanks. |
SELinux is preventing /usr/sbin/sshd from 'search' accesses on the directory /afs. ***** Plugin restorecon (92.2 confidence) suggests ************************* If you want to fix the label. /afs default label should be mnt_t. Then you can run restorecon. Do # /sbin/restorecon -v /afs ***** Plugin catchall_boolean (7.83 confidence) suggests ******************* If you want to support NFS home directories Then you must tell SELinux about this by enabling the 'use_nfs_home_dirs' boolean. Do setsebool -P use_nfs_home_dirs 1 ***** Plugin catchall (1.41 confidence) suggests *************************** If you believe that sshd should be allowed search access on the afs directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sshd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 Target Context system_u:object_r:nfs_t:s0 Target Objects /afs [ dir ] Source sshd Source Path /usr/sbin/sshd Port <Unknown> Host (removed) Source RPM Packages openssh-server-5.6p1-31.fc15.1 Target RPM Packages Policy RPM selinux-policy-3.9.16-26.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.6-27.fc15.x86_64 #1 SMP Sun May 15 17:23:28 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Fri 03 Jun 2011 02:03:29 PM EDT Last Seen Fri 03 Jun 2011 02:03:29 PM EDT Local ID 95fbe0d6-6b39-4a91-9a7c-bb2f40a3b7d3 Raw Audit Messages type=AVC msg=audit(1307124209.252:95): avc: denied { search } for pid=16795 comm="sshd" name="/" dev=afs ino=67174400 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL msg=audit(1307124209.252:95): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fe7b1221bdd a1=7fff387a3c80 a2=7fff387a3c80 a3=0 items=0 ppid=16794 pid=16795 auid=768 uid=768 gid=1002 euid=768 suid=768 fsuid=768 egid=1002 sgid=1002 fsgid=1002 tty=pts2 ses=4 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) Hash: sshd,sshd_t,nfs_t,dir,search audit2allow #============= sshd_t ============== #!!!! This avc can be allowed using the boolean 'use_nfs_home_dirs' allow sshd_t nfs_t:dir search; audit2allow -R #============= sshd_t ============== #!!!! This avc can be allowed using the boolean 'use_nfs_home_dirs' allow sshd_t nfs_t:dir search;