LISTSERV - SCIENTIFIC-LINUX-USERS Archives

  Dear SL developer and user,

      I am testing the 28 Jan 2011 SL6 beta release.  There is a problem 
with ssh.  Pls see the terminal output.

[jsjayan@krishna ~]$ ssh labuser@serene
labuser@serene's password:
Permission denied, please try again.
labuser@serene's password:
Could not chdir to home directory /disk1/labuser: Permission denied
/usr/bin/xauth:  timeout in locking authority file 
/disk1/labuser/.Xauthority
[labuser@serene /]$

Finally it logs on the machine.  However no X program can be executed.  
A SELinux log is created in the host machine.  It is as follows:


Summary:

SELinux is preventing /usr/sbin/sshd "search" access on labuser.

Detailed Description:

SELinux denied access requested by sshd. It is not expected that this 
access is
required by sshd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:default_t:s0
Target Objects                labuser [ dir ]
Source                        sshd
Source Path                   /usr/sbin/sshd
Port <Unknown>
Host                          serene
Source RPM Packages           openssh-server-5.3p1-20.el6
Target RPM Packages
Policy RPM                    selinux-policy-3.7.19-54.el6
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     serene
Platform                      Linux serene 2.6.32-71.el6.x86_64
                               #1 SMP Tue Nov 23 06:49:13 CST 2010 
x86_64 x86_64
Alert Count                   16
First Seen                    Wed 09 Feb 2011 03:07:11 PM IST
Last Seen                     Wed 09 Feb 2011 03:58:39 PM IST
Local ID                      a34a607e-2e13-4b24-9aaa-207ba8248d04
Line Numbers

Raw Audit Messages

node=serene.rpd.barc.gov.in type=AVC msg=audit(1297247319.903:173): 
avc:  denied  { search } for  pid=4500 comm="sshd" name="labuser" 
dev=dm-2 ino=1572865 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:default_t:s0 tclass=dir

node=serene.rpd.barc.gov.in type=SYSCALL msg=audit(1297247319.903:173): 
arch=c000003e syscall=80 success=no exit=-13 a0=7f12868d8c20 a1=ffffffff 
a2=9 a3=0 items=0 ppid=4499 pid=4500 auid=502 uid=502 gid=502 euid=502 
suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=pts1 ses=17 
comm="sshd" exe="/usr/sbin/sshd" 
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

Note that this problem happens only if the login directory (home folder) 
of the user in not in /home.  Say for example it is in /disk1.  This 
puts restrictions on systems having multiple disks and large number of 
users.  This problem was not happening with SL5.5 and earlier releases. 
Pls. take care of this in the release

Best wishes
-- 
Dr. Jayakumar J. S.

**
** in a free world without fences, who needs gates?
** help microsoft stamp out piracy - give linux to a friend today.
** to mess up a linux box, you need to work at it. to mess up an ms 
windows box, you just need to **look** at it.