SCIENTIFIC-LINUX-USERS Archives

November 2014

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: SELinux: SSH Keyfile login with authorized_keys in NFS mounted $HOME
From:
Thomas Hartmann <[log in to unmask]>
Reply To:
Thomas Hartmann <[log in to unmask]>
Date:
Fri, 28 Nov 2014 13:36:52 +0100
Content-Type:
multipart/signed
Parts/Attachments:
text/plain (2879 bytes) , smime.p7s (5 kB) 
Hi Stephan,

On 28.11.2014 12:57, Stephan Wiesand wrote:
> Hi Thomas,
> 
> hmm, it's supposed to solve your: "The use_nfs_home_dirs boolean allows any confined domains that need access to  home directory content to get access to all files labeled nfs_t". Maybe the implementation is actually different.
> 
> Regarding your Ansatz to solve this with a policy module, you may want to check out https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html

your suggestion is gold!
After disabling the audit suppression
 > semodule -DB

there were finally enough output in the audit log to build a module

 > grep "sshd" /var/log/audit/audit.log |  audit2allow -m  sshkeylogin

module sshkeylogin 1.0;

require {
        type default_t;
        type sshd_t;
        class lnk_file { read getattr };
}

#============= sshd_t ==============
allow sshd_t default_t:lnk_file { read getattr };

and after applying the module the attributes are not required anymore
for the sshd :)

 > grep "sshd" /var/log/audit/audit.log |  audit2allow -M  sshkeylogin
 > semodule -i sshkeylogin.pp
 > semodule -B

Keyfile login works now for me with the ssh related files on NFS with
attributes ignored for sshd :)

Cheers and many thanks!
  Thomas


> Cheers,
> 	Stephan
> 
>> On 28 Nov 2014, at 12:49, Thomas Hartmann <[log in to unmask]> wrote:
>>
>> Hi Stephan,
>>
>> thanks for the suggestion but with the value changed to true the problem
>> persists [1]
>>
>> There seem to be no SEL options that could fit to my problem - at least
>> I have not identified one within the ssh or nfs rule sets [2]
>>
>> Cheers,
>>  Thomas
>>
>> [1]
>>> setsebool use_nfs_home_dirs on
>>> getsebool use_nfs_home_dirs
>> use_nfs_home_dirs --> on
>>
>> [2]
>>> getsebool -a | grep ssh
>> allow_ssh_keysign --> off
>> fenced_can_ssh --> off
>> ssh_chroot_full_access --> off
>> ssh_chroot_manage_apache_content --> off
>> ssh_chroot_rw_homedirs --> off
>> ssh_sysadm_login --> off
>>
>>> getsebool -a | grep nfs
>> allow_ftpd_use_nfs --> off
>> cobbler_use_nfs --> off
>> git_cgi_use_nfs --> off
>> git_system_use_nfs --> off
>> httpd_use_nfs --> off
>> qemu_use_nfs --> on
>> rsync_use_nfs --> off
>> samba_share_nfs --> off
>> sanlock_use_nfs --> off
>> sge_use_nfs --> off
>> tftp_use_nfs --> off
>> use_nfs_home_dirs --> on
>> virt_use_nfs --> off
>> xen_use_nfs --> off
>>
>>
>> On 28.11.2014 11:57, Stephan Wiesand wrote:
>>>> On 28 Nov 2014, at 11:33, Thomas Hartmann <[log in to unmask]> wrote:
>>>>
>>>> Or is there another way to get SELinux and NFS mounted homes together?
>>>> I.e., disabling all file attribuite checks for NFS files  - which is
>>>> probably a 'suboptimal' usage of an active SELinux close to permissive...
>>>
>>> Have you tried "setsebool use_nfs_home_dirs on" ?
>>>
>>
>>
>

ATOM RSS1 RSS2