LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 03-14-2011, 02:29 PM   #1
manyrootsofallevil
Member
 
Registered: Dec 2010
Distribution: Red Hat, Kubuntu
Posts: 130

Rep: Reputation: 14
Permissions issues with pam_mkhomedir.so when SELinux set to enforce


Hello,

I've got a red hat box joined to a win 2k3 domain and I'm using pam_mkhomedir.so to create user's home directories on first login to the box.

extract from /etc/pam.d/sshd

Code:
session    required    pam_mkhomedir.so skel=/etc/skel umask=0022
The problem I have is that this only works if I switch SELINUX off (i.e. set enforcing to disabled ).

Unfortunately, the error messages are not very helpful. Extract from /var/log/secure below:

Code:
Mar 14 19:10:15 RHEL6 sshd[29865]: pam_mkhomedir(sshd:session): Executing mkhomedir_helper.
Mar 14 19:10:15 RHEL6 mkhomedir_helper: PAM unable to create directory /home/test: Permission denied
Mar 14 19:10:15 RHEL6 sshd[29865]: pam_mkhomedir(sshd:session): mkhomedir_helper returned 6
Any ideas?

TIA
 
Old 03-14-2011, 03:27 PM   #2
corp769
LQ Guru
 
Registered: Apr 2005
Location: /dev/null
Posts: 5,818

Rep: Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007
Since we have no real error output to work with, run the following and see if a relabel will relabel the files:
Code:
sudo touch /.autorelabel; sudo reboot
Make sure you have selinux enabled.

Josh
 
Old 03-15-2011, 02:48 AM   #3
manyrootsofallevil
Member
 
Registered: Dec 2010
Distribution: Red Hat, Kubuntu
Posts: 130

Original Poster
Rep: Reputation: 14
Here's an extract of audit.log with selinux on.


Quote:
type=CRED_ACQ msg=audit(1300174800.168:29224): user pid=32075 uid=0 auid=0 ses=351 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="rhel6" exe="/usr/sbin/sshd" hostname=rhel6.dev.com addr=10.168.20.226 terminal=ssh res=success'
type=AVC msg=audit(1300174800.184:29225): avc: denied { write } for pid=32084 comm="mkhomedir_helpe" name="home" dev=sda3 ino=131949 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u: object_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1300174800.184:29225): arch=c000003e syscall=83 success=no exit=-13 a0=79e031 a1=1ed a2=0 a3=c items=0 ppid=32075 pid=32084 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=351 comm="mkhomedir_helpe" exe="/sbin/mkhomedir_helper" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=LOGIN msg=audit(1300174800.193:29226): login pid=32075 uid=0 old auid=0 new auid=10005 old ses=351 new ses=449
type=USER_ROLE_CHANGE msg=audit(1300174800.248:29227): user pid=32075 uid=0 auid=10005 ses=449 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=?: exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=failed'
I'll try your suggestion this evening.

thanks

edit:

here is the output when I set SELINUX to permissive

Quote:
type=CRED_ACQ msg=audit(1300179459.469:15248): user pid=1499 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="rhel6" exe="/usr/sbin/sshd" hostname=rhel6.dev.com addr=10.168.20.226 terminal=ssh res=success'
type=AVC msg=audit(1300179459.486:15249): avc: denied { write } for pid=1508 comm="mkhomedir_helpe" name="home" dev=sda3 ino=131949 scontext=system_u :system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u: object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1300179459.486:15249): avc: denied { add_name } for pid=1508 comm="mkhomedir_helpe" name="rhel6" scontext=system_u :system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_ubject_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1300179459.486:15249): avc: denied { create } for pid=1508 comm="mkhomedir_helpe" name="rhel6" scontext=system_u :system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_ubject_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1300179459.486:15249): arch=c000003e syscall=83 success=yes exit=0 a0=24ed031 a1=1ed a2=0 a3=c items=0 ppid=1499 pid=1508 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkhomedir_helpe" exe="/sbin/mkhomedir_helper" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1300179459.512:15250): avc: denied { create } for pid=1508 comm="mkhomedir_helpe" name=".bashrc" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_ubject_r:home_root_t:s0 tclass=file
type=AVC msg=audit(1300179459.512:15250): avc: denied { write open } for pid=1508 comm="mkhomedir_helpe" name=".bashrc" dev=sda3 ino=133652 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_ubject_r:home_root_t:s0 tclass=file
type=SYSCALL msg=audit(1300179459.512:15250): arch=c000003e syscall=2 success=yes exit=5 a0=7fff77c36a80 a1=241 a2=180 a3=fffffff9 items=0 ppid=1499 pid=1508 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkhomedir_helpe" exe="/sbin/mkhomedir_helper" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1300179459.512:15251): avc: denied { setattr } for pid=1508 comm="mkhomedir_helpe" name=".bashrc" dev=sda3 ino=133652 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_ubject_r:home_root_t:s0 tclass=file
type=SYSCALL msg=audit(1300179459.512:15251): arch=c000003e syscall=91 success=yes exit=0 a0=5 a1=81a4 a2=180 a3=fffffff9 items=0 ppid=1499 pid=1508 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkhomedir_helpe" exe="/sbin/mkhomedir_helper" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1300179459.513:15252): avc: denied { setattr } for pid=1508 comm="mkhomedir_helpe" name="rhel6" dev=sda3 ino=130566 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_ubject_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1300179459.513:15252): arch=c000003e syscall=90 success=yes exit=0 a0=24ed031 a1=1ed a2=176c0 a3=fffffff4 items=0 ppid=1499 pid=1508 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkhomedir_helpe" exe="/sbin/mkhomedir_helper" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=LOGIN msg=audit(1300179459.520:15253): login pid=1499 uid=0 old auid=4294967295 new auid=10005 old ses=4294967295 new ses=3

Last edited by manyrootsofallevil; 03-15-2011 at 04:21 AM.
 
Old 03-16-2011, 01:27 PM   #4
manyrootsofallevil
Member
 
Registered: Dec 2010
Distribution: Red Hat, Kubuntu
Posts: 130

Original Poster
Rep: Reputation: 14
In the end I went for the long winded solution detailed here:

http://www.linuxforums.org/articles/...linux_355.html

I had to install policycoreutils-python to get audit2allow

I defo need to read up on SELinux

edit:

Although it is not mentioned in the article, I set SElinux to permissive, this allowed me to get all the error messages (compare log extracts in my previous posts) in one go and then create the se module.

Last edited by manyrootsofallevil; 03-16-2011 at 01:31 PM.
 
1 members found this post helpful.
Old 03-16-2011, 06:15 PM   #5
corp769
LQ Guru
 
Registered: Apr 2005
Location: /dev/null
Posts: 5,818

Rep: Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007
Awesome, glad to hear you got it working. That was going to be the next route; I tell everyone to do a full relabel because it makes it easier sometimes, but in your case, I don't know if you did so or not.
 
  


Reply

Tags
pam, selinux


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Selinux-how do i find out what domains have permissions on what type?(selinux policy) vishyc88 Linux - Security 2 11-22-2010 04:27 AM
Why does the filesystem think /selinux/enforce is an empty file? openSauce Linux - General 2 12-18-2008 02:58 AM
/selinux/enforce not found ShaqDiesel Linux - Server 9 09-11-2008 06:28 PM
httpd access with selinux enforce mode, restriction issues. rajnishmishra Linux - Security 3 08-19-2008 03:46 PM
Issues with selinux? JungleNut Linux - Security 2 11-02-2006 09:11 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 08:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration