Bug 292601 - (CRON) chdir(HOME) failed: (Permission denied)
(CRON) chdir(HOME) failed: (Permission denied)
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
medium Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-09-16 16:52 EDT by Paul Pluzhnikov
Modified: 2008-01-30 14:20 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-30 14:20:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Paul Pluzhnikov 2007-09-16 16:52:56 EDT
Description of problem:

This bug has almost exact duplicate symptoms of Bug 246396,
but the root cause (I believe) is SELinux policy.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create a user with NFS-mounted $HOME

   In my case the user is also NIS-only; i.e. no local /etc/passwd entry.
   Also, im my case user's (NFS) home directory is /home/server/username

2. Create cron job for said user.
Actual results:

Cron job does not run.


Sep 16 13:34:01 devel33 crond[18223]: (CRON) chdir(HOME) failed: (Permission denied)
Sep 16 13:34:01 devel33 crond[18223]: (CRON) /home/camel7/devtest (Permission
Sep 16 13:34:01 devel33 crond[18223]: CRON (devtest) ERROR: failed to open PAM
security session: Permission denied

type=USER_ACCT msg=audit(1189974841.722:447): user pid=18223 uid=0 auid=0
subj=root:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct=devtest
exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=AVC msg=audit(1189974841.724:448): avc:  denied  { search } for  pid=18223
comm="crond" name="" dev=0:18 ino=2
tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1189974841.724:448): arch=c000003e syscall=80 success=no
exit=-13 a0=699855 a1=699990 a2=0 a3=0 items=0 ppid=18217 pid=18223 auid=0
uid=249 gid=100 euid=249 suid=249 fsuid=249 egid=100 sgid=100 fsgid=100
tty=(none) comm="crond" exe="/usr/sbin/crond"
subj=root:system_r:crond_t:s0-s0:c0.c1023 key=(null)

Expected results:
cron job executes

Additional info:
Comment 1 Daniel Walsh 2007-09-17 13:38:50 EDT
Fixed in selinux-policy-3.0.8-1.fc8
Comment 2 Paul Pluzhnikov 2007-09-17 17:25:38 EDT
Apparently the exact same problem also affects sshd:

$ ssh devel34
paul's password: 
Authentication successful.
Last login: Mon Sep 17 07:18:04 2007 from buffalo.parasoft.com
Could not chdir to home directory /home/camel1/paul: Permission denied
-bash-3.2$ pwd
-bash-3.2$ cd 
-bash-3.2$ pwd

Above, bash could chdir($HOME), but sshd can't 
(so bash starts in the wrong place).

From audit.log:
type=SYSCALL msg=audit(1190039032.385:68): arch=40000003 syscall=12 success=no
exit=-13 a0=b9c137f0 a1=ffffff7c a2=b7ff7904 a3=b9c12f28 items=0 ppid=18353
pid=18354 auid=161 uid=161 gid=100 euid=161 suid=161 fsuid=161 egid=100 sgid=100
fsgid=100 tty=pts1 comm="sshd" exe="/usr/sbin/sshd"
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
Comment 3 Daniel Walsh 2007-09-18 11:04:23 EDT
This is not an AVC message,

Do you have the use_nfs_home_dirs boolean turned on.

setsebool -P use_nfs_home_dirs=1
Comment 4 Paul Pluzhnikov 2007-09-18 11:52:01 EDT
(In reply to comment #3)

> setsebool -P use_nfs_home_dirs=1

That cures it, thanks.
Comment 5 Michael Wang 2007-11-24 00:16:51 EST
The problem is not limited to nfs home dirs, but local file system
other than root file system (/). For example, /boot/test where /boot
is a separate file system.

The problem occurs with ssh, and the mingetty.

The problem can not be cured by setsebool -P use_nfs_home_dirs=1.
The only cure I found is to disable selinux.
Comment 6 Daniel Walsh 2007-12-18 10:31:41 EST
What avc messages are you seeing when this happens?
Comment 7 Daniel Walsh 2008-01-30 14:20:39 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.