Bug 448556 - SELinux policy blocking sshd access needed by pam_mkhomedir
SELinux policy blocking sshd access needed by pam_mkhomedir
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
9
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-27 13:01 EDT by Jeff Sheltren
Modified: 2008-05-30 10:32 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-30 10:32:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jeff Sheltren 2008-05-27 13:01:07 EDT
Description of problem:
When using the default policy installed on Fedora 9, SELinux is blocking access
for sshd to write (and other actions) in /home which is needed for pam_mkhomedir
to be able to create a user's home directory on login.

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-51.fc9
selinux-policy-targeted-3.3.1-51.fc9

How reproducible:  Always


Steps to Reproduce:
1. Enable pam_mkhomedir by adding ie. the following to system-auth-ac:
session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0066
2. Have a valid user (without a home directory) login via ssh.

  
Actual results:
SELinux blocks sshd access to write in /home which is needed for the home
directory to be created and populated with default files.


Expected results:
Home directory should be created and populated with files from /etc/skel.

Additional info:
Going through AVC denial messages, I was able to create the following policy
which allows pam_mkhomedir to work properly via ssh:


module local 1.0;

require {
        type home_root_t;
        type sshd_t;
        class dir { write create add_name setattr };
        class file { write create setattr };
}

#============= sshd_t ==============
allow sshd_t home_root_t:dir { write create add_name setattr };
allow sshd_t home_root_t:file { write create setattr };
Comment 1 Daniel Walsh 2008-05-27 13:32:36 EDT
Can you try to use oddjob-mkhomedir.i386  This should work better with SELinux.
Comment 2 Jeff Sheltren 2008-05-30 10:01:28 EDT
Came across a bug with oddjob, but now with the latest oddjob and
selinux-policy-3.3.1-61.fc9, home directory creation is working.  Thanks!
Comment 3 Daniel Walsh 2008-05-30 10:32:05 EDT
Use oddjob-mkhomedir.i386

Note You need to log in before you can comment on or make changes to this bug.