Subject: | |
From: | |
Reply To: | |
Date: | Fri, 28 Nov 2014 13:36:52 +0100 |
Content-Type: | multipart/signed |
Parts/Attachments: |
|
|
Hi Stephan,
On 28.11.2014 12:57, Stephan Wiesand wrote:
> Hi Thomas,
>
> hmm, it's supposed to solve your: "The use_nfs_home_dirs boolean allows any confined domains that need access to home directory content to get access to all files labeled nfs_t". Maybe the implementation is actually different.
>
> Regarding your Ansatz to solve this with a policy module, you may want to check out https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html
your suggestion is gold!
After disabling the audit suppression
> semodule -DB
there were finally enough output in the audit log to build a module
> grep "sshd" /var/log/audit/audit.log | audit2allow -m sshkeylogin
module sshkeylogin 1.0;
require {
type default_t;
type sshd_t;
class lnk_file { read getattr };
}
#============= sshd_t ==============
allow sshd_t default_t:lnk_file { read getattr };
and after applying the module the attributes are not required anymore
for the sshd :)
> grep "sshd" /var/log/audit/audit.log | audit2allow -M sshkeylogin
> semodule -i sshkeylogin.pp
> semodule -B
Keyfile login works now for me with the ssh related files on NFS with
attributes ignored for sshd :)
Cheers and many thanks!
Thomas
> Cheers,
> Stephan
>
>> On 28 Nov 2014, at 12:49, Thomas Hartmann <[log in to unmask]> wrote:
>>
>> Hi Stephan,
>>
>> thanks for the suggestion but with the value changed to true the problem
>> persists [1]
>>
>> There seem to be no SEL options that could fit to my problem - at least
>> I have not identified one within the ssh or nfs rule sets [2]
>>
>> Cheers,
>> Thomas
>>
>> [1]
>>> setsebool use_nfs_home_dirs on
>>> getsebool use_nfs_home_dirs
>> use_nfs_home_dirs --> on
>>
>> [2]
>>> getsebool -a | grep ssh
>> allow_ssh_keysign --> off
>> fenced_can_ssh --> off
>> ssh_chroot_full_access --> off
>> ssh_chroot_manage_apache_content --> off
>> ssh_chroot_rw_homedirs --> off
>> ssh_sysadm_login --> off
>>
>>> getsebool -a | grep nfs
>> allow_ftpd_use_nfs --> off
>> cobbler_use_nfs --> off
>> git_cgi_use_nfs --> off
>> git_system_use_nfs --> off
>> httpd_use_nfs --> off
>> qemu_use_nfs --> on
>> rsync_use_nfs --> off
>> samba_share_nfs --> off
>> sanlock_use_nfs --> off
>> sge_use_nfs --> off
>> tftp_use_nfs --> off
>> use_nfs_home_dirs --> on
>> virt_use_nfs --> off
>> xen_use_nfs --> off
>>
>>
>> On 28.11.2014 11:57, Stephan Wiesand wrote:
>>>> On 28 Nov 2014, at 11:33, Thomas Hartmann <[log in to unmask]> wrote:
>>>>
>>>> Or is there another way to get SELinux and NFS mounted homes together?
>>>> I.e., disabling all file attribuite checks for NFS files - which is
>>>> probably a 'suboptimal' usage of an active SELinux close to permissive...
>>>
>>> Have you tried "setsebool use_nfs_home_dirs on" ?
>>>
>>
>>
>
|
|
|