757722 – Don't dontaudit sshd_t accessing nfs_t

Bug 757722 - Don't dontaudit sshd_t accessing nfs_t

Summary: Don't dontaudit sshd_t accessing nfs_t

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	16
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-11-28 13:59 UTC by Jan "Yenya" Kasprzak
Modified:	2012-05-18 15:46 UTC (History)
CC List:	2 users (show)
Fixed In Version:	selinux-policy-3.10.0-64.fc16
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-06 01:05:41 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jan "Yenya" Kasprzak 2011-11-28 13:59:46 UTC

Description of problem:
I have spent a non-trivial amount of time checking why some users are given the following message after ssh login after I upgraded to F16 and enabled SElinux:

Could not chdir to home directory /home/<loginname>: Permission denied

after that, the cwd of their shell was /, but they could do "cd ~" without problem. Later, after seeing no AVCs in the audit.log and verifying that "setenforce 0" made the problem disappear, I have allowed the "dontaudit" messages to be logged. Only then I have then discovered that only users with their home on NFS volume had this problem, so "setsebool use_nfs_home_dirs 1" was the correct fix.

I would however suggest that AVCs about sshd_t accessing nfs_t should be logged, not dontaudited (unless there is a good reason to actually dontaudit them). It would make the whole debugging much easier. Thanks for considering this modification to the policy.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.10.0-56.fc16.noarch
selinux-policy-3.10.0-56.fc16.noarch

Comment 1 Daniel Walsh 2011-11-29 03:06:46 UTC

Miroslav I think f5650ab535ffd9536fe948834bee5b0b0eb3149b

will fix this problem.

Comment 2 Miroslav Grepl 2011-11-29 11:25:08 UTC

We will see. Fixed in -63.fc16 release.

Comment 3 Fedora Update System 2011-12-02 13:15:55 UTC

selinux-policy-3.10.0-64.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-64.fc16

Comment 4 Fedora Update System 2011-12-04 02:31:57 UTC

Package selinux-policy-3.10.0-64.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-64.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-16698/selinux-policy-3.10.0-64.fc16
then log in and leave karma (feedback).

Comment 5 Jan "Yenya" Kasprzak 2011-12-05 15:39:29 UTC

Works for me, thanks. Karma updated.

Comment 6 Fedora Update System 2011-12-06 01:05:41 UTC

selinux-policy-3.10.0-64.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Scott Dowdle 2012-05-16 23:05:44 UTC

I'm having the same problem on a fully updated RHEL 6.2 box.  What's the fix?

Comment 8 Daniel Walsh 2012-05-18 15:46:14 UTC

Well you could try the 6.3 policy, which has a preview release on people.redhat.com/dwalsh/SELinux/RHEL6

Or you could add a custom policy module with a dontaudit rule.

Note You need to log in before you can comment on or make changes to this bug.