Bug 863132
Summary: | pam_mkhomedir creates home directory with wrong SELinux label | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Trond H. Amundsen <t.h.amundsen> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 17 | CC: | d.e.smorgrav, dominick.grift, dwalsh, mgrepl, plautrba, su_js1, tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-12-20 15:47:05 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Trond H. Amundsen
2012-10-04 13:50:18 UTC
To troubleshoot we tried to label /usr/sbin/mkhomedir_helper oddjob_mkhomedir_exec_t since sshd_t is allowed to run files with that type with a domain transition to oddjob_mkhomedir_t. However, although we figured out that sshd_t actually "executes" the file with that type it does not appear to be domain transitioning for some reason. The user home dir still gets created by /usr/sbin/mkhomedir_helper on behalf of root, running in the unconfined_t domain Petr, did we add privsep patch also to F17? Yes this looks like a setexeccon is overriding the oddjob execution. I don't think it's related to the privsep patch. The privsep patch changes context of actual process with setcon() based on getexeccon() value. But there's the pam_selinux module which sets a user context for next execve call. those two files works for me (together with the mkhomedir_helper context change): /etc/pam.d/sshd #%PAM-1.0 ... # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so session optional pam_keyinit.so force revoke session include password-auth # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session include postlogin /etc/pam.d/password-auth: #%PAM-1.0 ... session optional pam_keyinit.so revoke session required pam_limits.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so I added labeling. selinux-policy-3.10.0-156.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-156.fc17 Package selinux-policy-3.10.0-156.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-156.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-16347/selinux-policy-3.10.0-156.fc17 then log in and leave karma (feedback). selinux-policy-3.10.0-156.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. Having the exact same problem on RH el6.3 with selinux-policy-3.7.19-155.el6_3.13.noarch Did you try to fix labeling using chcon? |