Bug 757722 - Don't dontaudit sshd_t accessing nfs_t
Summary: Don't dontaudit sshd_t accessing nfs_t
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 16
Hardware: All
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-28 13:59 UTC by Jan "Yenya" Kasprzak
Modified: 2012-05-18 15:46 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.10.0-64.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 01:05:41 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jan "Yenya" Kasprzak 2011-11-28 13:59:46 UTC 
Description of problem:
I have spent a non-trivial amount of time checking why some users are given the following message after ssh login after I upgraded to F16 and enabled SElinux:

Could not chdir to home directory /home/<loginname>: Permission denied

after that, the cwd of their shell was /, but they could do "cd ~" without problem. Later, after seeing no AVCs in the audit.log and verifying that "setenforce 0" made the problem disappear, I have allowed the "dontaudit" messages to be logged. Only then I have then discovered that only users with their home on NFS volume had this problem, so "setsebool use_nfs_home_dirs 1" was the correct fix.

I would however suggest that AVCs about sshd_t accessing nfs_t should be logged, not dontaudited (unless there is a good reason to actually dontaudit them). It would make the whole debugging much easier. Thanks for considering this modification to the policy.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.10.0-56.fc16.noarch
selinux-policy-3.10.0-56.fc16.noarch
Comment 1 Daniel Walsh 2011-11-29 03:06:46 UTC 
Miroslav I think f5650ab535ffd9536fe948834bee5b0b0eb3149b

will fix this problem.
Comment 2 Miroslav Grepl 2011-11-29 11:25:08 UTC 
We will see. Fixed in -63.fc16 release.
Comment 3 Fedora Update System 2011-12-02 13:15:55 UTC 
selinux-policy-3.10.0-64.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-64.fc16
Comment 4 Fedora Update System 2011-12-04 02:31:57 UTC 
Package selinux-policy-3.10.0-64.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-64.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-16698/selinux-policy-3.10.0-64.fc16
then log in and leave karma (feedback).
Comment 5 Jan "Yenya" Kasprzak 2011-12-05 15:39:29 UTC 
Works for me, thanks. Karma updated.
Comment 6 Fedora Update System 2011-12-06 01:05:41 UTC 
selinux-policy-3.10.0-64.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Scott Dowdle 2012-05-16 23:05:44 UTC 
I'm having the same problem on a fully updated RHEL 6.2 box.  What's the fix?
Comment 8 Daniel Walsh 2012-05-18 15:46:14 UTC 
Well you could try the 6.3 policy, which has a preview release on people.redhat.com/dwalsh/SELinux/RHEL6

Or you could add a custom policy module with a dontaudit rule.
Note You need to log in before you can comment on or make changes to this bug.