LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Permissions issues with pam_mkhomedir.so when SELinux set to enforce (https://www.linuxquestions.org/questions/linux-server-73/permissions-issues-with-pam_mkhomedir-so-when-selinux-set-to-enforce-868546/)

manyrootsofallevil 03-14-2011 02:29 PM
Permissions issues with pam_mkhomedir.so when SELinux set to enforce
 
Hello,

I've got a red hat box joined to a win 2k3 domain and I'm using pam_mkhomedir.so to create user's home directories on first login to the box.

extract from /etc/pam.d/sshd

Code:
session    required    pam_mkhomedir.so skel=/etc/skel umask=0022
The problem I have is that this only works if I switch SELINUX off (i.e. set enforcing to disabled ).

Unfortunately, the error messages are not very helpful. Extract from /var/log/secure below:

Code:
Mar 14 19:10:15 RHEL6 sshd[29865]: pam_mkhomedir(sshd:session): Executing mkhomedir_helper.
Mar 14 19:10:15 RHEL6 mkhomedir_helper: PAM unable to create directory /home/test: Permission denied
Mar 14 19:10:15 RHEL6 sshd[29865]: pam_mkhomedir(sshd:session): mkhomedir_helper returned 6
Any ideas?

TIA

corp769 03-14-2011 03:27 PM
Since we have no real error output to work with, run the following and see if a relabel will relabel the files:
Code:
sudo touch /.autorelabel; sudo reboot
Make sure you have selinux enabled.

Josh

manyrootsofallevil 03-15-2011 02:48 AM
Here's an extract of audit.log with selinux on.


Quote:
type=CRED_ACQ msg=audit(1300174800.168:29224): user pid=32075 uid=0 auid=0 ses=351 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="rhel6" exe="/usr/sbin/sshd" hostname=rhel6.dev.com addr=10.168.20.226 terminal=ssh res=success'
type=AVC msg=audit(1300174800.184:29225): avc: denied { write } for pid=32084 comm="mkhomedir_helpe" name="home" dev=sda3 ino=131949 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u: object_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1300174800.184:29225): arch=c000003e syscall=83 success=no exit=-13 a0=79e031 a1=1ed a2=0 a3=c items=0 ppid=32075 pid=32084 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=351 comm="mkhomedir_helpe" exe="/sbin/mkhomedir_helper" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=LOGIN msg=audit(1300174800.193:29226): login pid=32075 uid=0 old auid=0 new auid=10005 old ses=351 new ses=449
type=USER_ROLE_CHANGE msg=audit(1300174800.248:29227): user pid=32075 uid=0 auid=10005 ses=449 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=?: exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=failed'
I'll try your suggestion this evening.

thanks

edit:

here is the output when I set SELINUX to permissive

Quote:
type=CRED_ACQ msg=audit(1300179459.469:15248): user pid=1499 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="rhel6" exe="/usr/sbin/sshd" hostname=rhel6.dev.com addr=10.168.20.226 terminal=ssh res=success'
type=AVC msg=audit(1300179459.486:15249): avc: denied { write } for pid=1508 comm="mkhomedir_helpe" name="home" dev=sda3 ino=131949 scontext=system_u :system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u: object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1300179459.486:15249): avc: denied { add_name } for pid=1508 comm="mkhomedir_helpe" name="rhel6" scontext=system_u :system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1300179459.486:15249): avc: denied { create } for pid=1508 comm="mkhomedir_helpe" name="rhel6" scontext=system_u :system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1300179459.486:15249): arch=c000003e syscall=83 success=yes exit=0 a0=24ed031 a1=1ed a2=0 a3=c items=0 ppid=1499 pid=1508 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkhomedir_helpe" exe="/sbin/mkhomedir_helper" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1300179459.512:15250): avc: denied { create } for pid=1508 comm="mkhomedir_helpe" name=".bashrc" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=file
type=AVC msg=audit(1300179459.512:15250): avc: denied { write open } for pid=1508 comm="mkhomedir_helpe" name=".bashrc" dev=sda3 ino=133652 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=file
type=SYSCALL msg=audit(1300179459.512:15250): arch=c000003e syscall=2 success=yes exit=5 a0=7fff77c36a80 a1=241 a2=180 a3=fffffff9 items=0 ppid=1499 pid=1508 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkhomedir_helpe" exe="/sbin/mkhomedir_helper" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1300179459.512:15251): avc: denied { setattr } for pid=1508 comm="mkhomedir_helpe" name=".bashrc" dev=sda3 ino=133652 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=file
type=SYSCALL msg=audit(1300179459.512:15251): arch=c000003e syscall=91 success=yes exit=0 a0=5 a1=81a4 a2=180 a3=fffffff9 items=0 ppid=1499 pid=1508 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkhomedir_helpe" exe="/sbin/mkhomedir_helper" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1300179459.513:15252): avc: denied { setattr } for pid=1508 comm="mkhomedir_helpe" name="rhel6" dev=sda3 ino=130566 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1300179459.513:15252): arch=c000003e syscall=90 success=yes exit=0 a0=24ed031 a1=1ed a2=176c0 a3=fffffff4 items=0 ppid=1499 pid=1508 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkhomedir_helpe" exe="/sbin/mkhomedir_helper" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=LOGIN msg=audit(1300179459.520:15253): login pid=1499 uid=0 old auid=4294967295 new auid=10005 old ses=4294967295 new ses=3

manyrootsofallevil 03-16-2011 01:27 PM
In the end I went for the long winded solution detailed here:

http://www.linuxforums.org/articles/...linux_355.html

I had to install policycoreutils-python to get audit2allow

I defo need to read up on SELinux :D

edit:

Although it is not mentioned in the article, I set SElinux to permissive, this allowed me to get all the error messages (compare log extracts in my previous posts) in one go and then create the se module.

corp769 03-16-2011 06:15 PM
Awesome, glad to hear you got it working. That was going to be the next route; I tell everyone to do a full relabel because it makes it easier sometimes, but in your case, I don't know if you did so or not.


All times are GMT -5. The time now is 01:55 AM.