sheltren.com

I recently setup a Fedora 9 system to test some things out. I've run the alpha/beta/rc in a virtual machine, but I happened to have an extra machine sitting around and decided to install F9 there to see how it went. The install was pretty smooth; I did a network install from a local mirror which is pretty much how I've always installed Fedora. Pulling the packages down over a gigabit link is always nice :)

Once things were up and running, I wanted to setup LDAP to allow our sys admins to login, and I thought it would also be useful to setup pam_mkhomedir so that the user's home directory would get created automatically when they first login. Setting up pam_mkhomedir is pretty easy, all I did was add the following line to /etc/pam.d/system-auth-ac

session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0066

Once I did that, I tested it out by logging in as root and doing an 'su -' to my account (stored in LDAP). This worked as expected, creating my home directory and populating it with the .bashrc, etc. stored in /etc/skel/ So, I then asked someone else to try logging in. Their password was accepted, but the homedir was not created properly, giving a "permission denied" error. Digging through the logs, I found an SELinux message in /var/log/messages, which was something like this:

setroubleshoot: SELinux is preventing sshd (sshd_t) "write" to ./home (home_root_t).
For complete SELinux messages. run sealert -l ec6eaa79-6acf-4ab7-82a8-04d685b601e8

Aha, so at least I knew why it was not working! But how can I tell SELinux that this is something I want to allow? A quick google search lead me to this FAQ on the Fedora Project Wiki: http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385 which gives some very easy steps on how to create a local policy module based on AVC denial messages. So, using a combination of 'sealert' for viewing info about denials, 'audit2allow' for creating policy from AVC messages, and 'semodule' for loading the newly created policy, I was able to create a local SELinux policy module which allowed the needed access for sshd to create home directories on the fly. This took a few iterations as each time I loaded the new module it would get a little further before something else would fail.

So I did a few iterations of appending AVC messages (as displayed by 'sealert') to a file, then running 'audit2allow' and 'semodule' to load and test. For example:

# sealert -l ec6eaa79-6acf-4ab7-82a8-04d685b601e8
[... output snipped ...]
Raw Audit Messages            

host=... type=AVC msg=audit(1211557305.198:204): avc:  denied  { write } for 
pid=6815 comm="sshd" name="home" dev=dm-0 ino=294913
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
# cat avc 
host=... type=AVC msg=audit(1211557305.198:204): avc:  denied  { write } for 
pid=6815 comm="sshd" name="home" dev=dm-0 ino=294913
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
# audit2allow -M local < avc 
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i local.pp

# semodule -i local.pp

After a few iterations, I ended up with a local.te file that looks like this:

module local 1.0;

require {
        type home_root_t;
        type sshd_t;
        class dir { write create add_name setattr };
        class file { write create setattr };
}

#============= sshd_t ==============
allow sshd_t home_root_t:dir { write create add_name setattr };
allow sshd_t home_root_t:file { write create setattr };

Loading the corresponding local.pp file using 'semodule -i local.pp' grants the needed access for pam_mkhomedir to work over ssh with SELinux enabled (in addition to using the default Fedora 9 policy). Much easier than I thought it would be -- the tools are very helpful!

Update: Fedora is now recommending the use of 'oddjob' and the 'oddjob-mkhomedir' package for things like this. The latest oddjob and selinux-policy packages as of the time of this writing are working fine on F9 without having to create any local selinux policy.