Bug 598742 - Selinux prevent local GUI login and drop remote login to / when home dir is not under /home
Selinux prevent local GUI login and drop remote login to / when home dir is n...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-01 19:11 EDT by Lei Zhou
Modified: 2010-06-02 12:11 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-02 08:34:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lei Zhou 2010-06-01 19:11:58 EDT
Description of problem:

I have several fedora boxes in a cluster.  The home directory is mounted under /data as /data/home from a nfs share. There is a link under / named /home -> /data/home.

It was all normal when it was Fedora 12.  

However, when I upgraded them into Fedora 13, I could nolonger log in local GUI, and the remote login dropped me to / since it could not change dir to /home/userroot.  However, when I logged in remotely, I could cd ~ with no problem.

When I do 'setenforce 0', everything is back to normal.

So this must be a selinux policy issue.

To be noted, 
setsebool -P use_nfs_home_dirs=1
has been done to allow using nfs volume as home dir.

Unfortunately, I tried 

audit2allow -m local -l -i /var/log/audit/audit.log

but it returned nothing.  

This means that this bug cannot be fixed by the standard way.

After some thinking and tries, I found that it was the /data stage, which has a default_t attribute, prevented sshd, xauth, and local_login from going through it to the actual home directory.

My current work around is to use the following local.te file

module local 1.0;

require {
type local_login_t;
type default_t;
type xauth_t;
type sshd_t;
class dir search;
}

#============= sshd_t ==============
allow sshd_t default_t:dir search;

#============= xauth_t ==============
allow xauth_t default_t:dir search;

#============= local_login_t ==============
allow local_login_t default_t:dir search;

By inserting this into the selinux policy by running
checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod
semodule -i local.pp
this issue is solved.

Version-Release number of selected component (if applicable):

Fedora 13

How reproducible:

Always

Steps to Reproduce:
1.mkdir /data; mkdir /data/home; mount your_nfs_home /data/home; ln -s /data/home /home
2.make sure 
  ls -Z / | grep data
returns something like
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 data
3.try local and remote login
  
Actual results:

Cannot do local GUI login, and remote login dropped to / without the workaround.

Expected results:

Local GUI login and remote login are normal without the workaround.

Additional info:
Comment 1 Lei Zhou 2010-06-01 19:12:56 EDT
http://bitc.bme.emory.edu/~lzhou/blogs/?p=125
Comment 2 Lei Zhou 2010-06-02 07:59:50 EDT
The above workaround is flawed.  It still did not allow login through authorized_keys.  To make this possible, the local policy should be:

_________________________________________________________________
module local 1.0;

require {
    type local_login_t;
    type default_t;
    type xauth_t;
    type sshd_t;
    class dir { search getattr };
}

#============= sshd_t ==============
allow sshd_t default_t:dir { search getattr };

#============= xauth_t ==============
allow xauth_t default_t:dir search;

#============= local_login_t ==============
allow local_login_t default_t:dir search;
__________________________________________________________________

To be noted, the reason I report this self-solved issue as a bug is because of its inconsistencies:
a) It did not generate any denial log in /var/log/audit/audit.log, which made the debugging unnecessarily difficult;
b) Although it prevented the login process to change dir to user root, and drop user log in point to /, after logged on, user can "cd ~" without any problem.  This means that the selinux policies for login process is inconsistent with user shell, like bash or tcsh;
c) This issue did not exist in Fedora 12, means that it was created in the development of Fedora 13;
d) Up to date, Fedora overnight update did not fix this issue.
Comment 3 Daniel Walsh 2010-06-02 08:34:33 EDT
You need to setup the labeling.

# semanage fcontext -a -t home_root_t /data
# semanage fcontext -e /home /data/home
# restorecon -R -v /data

Should fix.
Comment 4 Lei Zhou 2010-06-02 11:45:16 EDT
Comments:
a) Although the fact can be treated "Not a bug", but it IS a bug if selinux does not report this denial in /var/log/audit/audit.log.  If it did, I'd not report it here but rather mending it using a local policy as usual.

b) Also it IS A BUG of having the login process and bash/tcsh treated differently on directory access.  This could raise other issues. As what I know, it also broke my 'ssh node command' requests.

c) There is no reason to make such change of having a worked thing in Fedora 12 not-working and say it is NOT A BUG!

d) It is virtually improper to relabel /data home_root_t since it does not hold only the home directories.

Please reconsider.

Or I'd have to report this as several separated bugs of "Selinux does not report denial" etc.

Hope to see your reply.  Thanks!

BTW, I'd say REDHAT had never really seriously considered customer's bug report as expected.  They always go the easiest to them solution.  I'd say this is why linux still cannot win over Windows. Sigh...

(In reply to comment #3)
> You need to setup the labeling.
> 
> # semanage fcontext -a -t home_root_t /data
> # semanage fcontext -e /home /data/home
> # restorecon -R -v /data
> 
> Should fix.
Comment 5 Lei Zhou 2010-06-02 11:46:13 EDT
This is another attempt that is ignored of trying to help the linux community.  Sigh...
Comment 6 Daniel Walsh 2010-06-02 12:08:47 EDT
Ok label /data as usr_t which can be searched by most domains.  I would be supprised if this would work under F12 unless you had a custom policy module or labels under /data that allowed the login programs to search.

# semanage fcontext -a -t usr_t /data

There are potential dontaudit rules that could have blocked one of the allow rules that would have allowed this to work.

You can turn off dontaudit rules with 

semodule -DB

and turn them back on with 

semodule -B

In the case of adding allow rules using audit2allow, that would have been a bad solution.  Often doing this is the wrong solution.

Look at this.

http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf
Comment 7 Daniel Walsh 2010-06-02 12:11:37 EDT
A little premature on getting depressed over working with the Linux community...

You have a configuration issue, that I can not fix.  It is somewhat similar to setting the UID and Permission flags on the contents of the directories.  SELinux just wants you to label them correctly.  If a directory contains user content, it needs to be labeled as such.

Random directories created in / are labeled default_t, and no confined domains are allowed to search through default_t since SELinux does not know what is in those directories.  For all it knows it could be credit card data or nuclear secrets...

Note You need to log in before you can comment on or make changes to this bug.