SELinux Module

Home » CentOS » SELinux Module

September 16, 2016 Bernard Fay CentOS 3 Comments

Hello everyone,

I have a problem with oddjob_mkhomedir on a NFS mount point. The actual context is nfs_t

drwxr-xr-x. root root system_u:object_r:nfs_t:s0 users/

With this type, oddjob_mkhomedir cannot do is job of creating home user directories.

In the logs, I found about creating a new module with audi2allow and semodule:

[root@ audit]# sealert -l fe2d7f60-d3ff-405b-b518-38d0cf021598
X11 connection rejected because of wrong authentication. SELinux is preventing /usr/libexec/oddjob/mkhomedir from setattr access on the file .bash_logout.

***** Plugin catchall_boolean (89.3 confidence) suggests
******************

If you want to allow use to nfs home dirs Then you must tell SELinux about this by enabling the ‘use_nfs_home_dirs’
boolean. You can read ‘None’ man page for more details. Do setsebool -P use_nfs_home_dirs 1

***** Plugin catchall (11.6 confidence) suggests
**************************

If you believe that mkhomedir should be allowed setattr access on the
.bash_logout file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing:
# grep mkhomedir /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c102
3
Target Context system_u:object_r:nfs_t:s0
Target Objects .bash_logout [ file ]
Source mkhomedir Source Path /usr/libexec/oddjob/mkhomedir Port
Host Source RPM Packages oddjob-mkhomedir-0.31.5-4.el7.x86_64
Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name Platform Linux 3.10.0-327.28.3.el7.x86_64 #1 SMP
Thu Aug 18 19:05:49 UTC 2016 x86_64 x86_64
Alert Count 1
First Seen 2016-09-15 15:12:48 EDT
Last Seen 2016-09-15 15:12:48 EDT
Local ID fe2d7f60-d3ff-405b-b518-38d0cf021598

Raw Audit Messages type=AVC msg=audit(1473966768.233:9091): avc: denied { setattr } for pid(565 comm=”mkhomedir” name=”.bash_logout” dev=”0:40″ ino48581
scontext=system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c1023
tcontext=system_u:object_r:nfs_t:s0 tclass=file

type=SYSCALL msg=audit(1473966768.233:9091): arch=x86_64 syscall

3 thoughts on - SELinux Module

I do not want to disable SELinux at large but only for a directory and its sub-directories.

On Fri, Sep 16, 2016 at 8:31 AM, Eddie G. O’Connor Jr.

If you are using NFS homedirs, you should run:

setsebool -P use_nfs_home_dirs 1

Thanks a lot Jonathan,

It was that simple!!!

Problem fixed!

Bernard Fay says:

September 16, 2016 at 7:34 am

I do not want to disable SELinux at large but only for a directory and its sub-directories.

On Fri, Sep 16, 2016 at 8:31 AM, Eddie G. O’Connor Jr.
Jonathan Billings says:

September 16, 2016 at 9:06 am

If you are using NFS homedirs, you should run:

setsebool -P use_nfs_home_dirs 1
Bernard Fay says:

September 16, 2016 at 10:29 am

Thanks a lot Jonathan,

It was that simple!!!

Problem fixed!

SELinux Module

3 thoughts on - SELinux Module

Recommended

Recent Posts

Recent Comments

Archives

Categories

Meta