Bug 448556 - SELinux policy blocking sshd access needed by pam_mkhomedir
Summary: SELinux policy blocking sshd access needed by pam_mkhomedir
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 9
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-05-27 17:01 UTC by Jeff Sheltren
Modified: 2008-05-30 14:32 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-05-30 14:32:05 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Jeff Sheltren 2008-05-27 17:01:07 UTC
Description of problem:
When using the default policy installed on Fedora 9, SELinux is blocking access
for sshd to write (and other actions) in /home which is needed for pam_mkhomedir
to be able to create a user's home directory on login.

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-51.fc9
selinux-policy-targeted-3.3.1-51.fc9

How reproducible:  Always


Steps to Reproduce:
1. Enable pam_mkhomedir by adding ie. the following to system-auth-ac:
session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0066
2. Have a valid user (without a home directory) login via ssh.

  
Actual results:
SELinux blocks sshd access to write in /home which is needed for the home
directory to be created and populated with default files.


Expected results:
Home directory should be created and populated with files from /etc/skel.

Additional info:
Going through AVC denial messages, I was able to create the following policy
which allows pam_mkhomedir to work properly via ssh:


module local 1.0;

require {
        type home_root_t;
        type sshd_t;
        class dir { write create add_name setattr };
        class file { write create setattr };
}

#============= sshd_t ==============
allow sshd_t home_root_t:dir { write create add_name setattr };
allow sshd_t home_root_t:file { write create setattr };

Comment 1 Daniel Walsh 2008-05-27 17:32:36 UTC
Can you try to use oddjob-mkhomedir.i386  This should work better with SELinux.

Comment 2 Jeff Sheltren 2008-05-30 14:01:28 UTC
Came across a bug with oddjob, but now with the latest oddjob and
selinux-policy-3.3.1-61.fc9, home directory creation is working.  Thanks!

Comment 3 Daniel Walsh 2008-05-30 14:32:05 UTC
Use oddjob-mkhomedir.i386


Note You need to log in before you can comment on or make changes to this bug.