SELinux Module
Hello everyone,
I have a problem with oddjob_mkhomedir on a NFS mount point. The actual context is nfs_t
drwxr-xr-x. root root system_u:object_r:nfs_t:s0 users/
With this type, oddjob_mkhomedir cannot do is job of creating home user directories.
In the logs, I found about creating a new module with audi2allow and semodule:
[root@ audit]# sealert -l fe2d7f60-d3ff-405b-b518-38d0cf021598
X11 connection rejected because of wrong authentication. SELinux is preventing /usr/libexec/oddjob/mkhomedir from setattr access on the file .bash_logout.
***** Plugin catchall_boolean (89.3 confidence) suggests
******************
If you want to allow use to nfs home dirs Then you must tell SELinux about this by enabling the ‘use_nfs_home_dirs’
boolean. You can read ‘None’ man page for more details. Do setsebool -P use_nfs_home_dirs 1
***** Plugin catchall (11.6 confidence) suggests
**************************
If you believe that mkhomedir should be allowed setattr access on the
.bash_logout file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing:
# grep mkhomedir /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c102
3
Target Context system_u:object_r:nfs_t:s0
Target Objects .bash_logout [ file ]
Source mkhomedir Source Path /usr/libexec/oddjob/mkhomedir Port
Host Source RPM Packages oddjob-mkhomedir-0.31.5-4.el7.x86_64
Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name Platform Linux 3.10.0-327.28.3.el7.x86_64 #1 SMP
Thu Aug 18 19:05:49 UTC 2016 x86_64 x86_64
Alert Count 1
First Seen 2016-09-15 15:12:48 EDT
Last Seen 2016-09-15 15:12:48 EDT
Local ID fe2d7f60-d3ff-405b-b518-38d0cf021598
Raw Audit Messages type=AVC msg=audit(1473966768.233:9091): avc: denied { setattr } for pid(565 comm=”mkhomedir” name=”.bash_logout” dev=”0:40″ ino48581
scontext=system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c1023
tcontext=system_u:object_r:nfs_t:s0 tclass=file
type=SYSCALL msg=audit(1473966768.233:9091): arch=x86_64 syscall
3 thoughts on - SELinux Module
I do not want to disable SELinux at large but only for a directory and its sub-directories.
On Fri, Sep 16, 2016 at 8:31 AM, Eddie G. O’Connor Jr.
If you are using NFS homedirs, you should run:
setsebool -P use_nfs_home_dirs 1
Thanks a lot Jonathan,
It was that simple!!!
Problem fixed!