SCIENTIFIC-LINUX-USERS Archives

November 2014

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: SELinux: SSH Keyfile login with authorized_keys in NFS mounted $HOME
From:
Stephan Wiesand <[log in to unmask]>
Reply To:
Stephan Wiesand <[log in to unmask]>
Date:
Fri, 28 Nov 2014 12:57:19 +0100
Content-Type:
text/plain
Parts/Attachments:
text/plain (71 lines) 
Hi Thomas,

hmm, it's supposed to solve your: "The use_nfs_home_dirs boolean allows any confined domains that need access to  home directory content to get access to all files labeled nfs_t". Maybe the implementation is actually different.

Regarding your Ansatz to solve this with a policy module, you may want to check out https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html

Cheers,
	Stephan

> On 28 Nov 2014, at 12:49, Thomas Hartmann <[log in to unmask]> wrote:
> 
> Hi Stephan,
> 
> thanks for the suggestion but with the value changed to true the problem
> persists [1]
> 
> There seem to be no SEL options that could fit to my problem - at least
> I have not identified one within the ssh or nfs rule sets [2]
> 
> Cheers,
>  Thomas
> 
> [1]
>> setsebool use_nfs_home_dirs on
>> getsebool use_nfs_home_dirs
> use_nfs_home_dirs --> on
> 
> [2]
>> getsebool -a | grep ssh
> allow_ssh_keysign --> off
> fenced_can_ssh --> off
> ssh_chroot_full_access --> off
> ssh_chroot_manage_apache_content --> off
> ssh_chroot_rw_homedirs --> off
> ssh_sysadm_login --> off
> 
>> getsebool -a | grep nfs
> allow_ftpd_use_nfs --> off
> cobbler_use_nfs --> off
> git_cgi_use_nfs --> off
> git_system_use_nfs --> off
> httpd_use_nfs --> off
> qemu_use_nfs --> on
> rsync_use_nfs --> off
> samba_share_nfs --> off
> sanlock_use_nfs --> off
> sge_use_nfs --> off
> tftp_use_nfs --> off
> use_nfs_home_dirs --> on
> virt_use_nfs --> off
> xen_use_nfs --> off
> 
> 
> On 28.11.2014 11:57, Stephan Wiesand wrote:
>>> On 28 Nov 2014, at 11:33, Thomas Hartmann <[log in to unmask]> wrote:
>>> 
>>> Or is there another way to get SELinux and NFS mounted homes together?
>>> I.e., disabling all file attribuite checks for NFS files  - which is
>>> probably a 'suboptimal' usage of an active SELinux close to permissive...
>> 
>> Have you tried "setsebool use_nfs_home_dirs on" ?
>> 
> 
> 

-- 
Stephan Wiesand
DESY - DV -
Platanenallee 6
15738 Zeuthen, Germany

ATOM RSS1 RSS2