1

I'm using the Fedora 12 pam_mount / libHX RPMs on a RHEL 6 x86_64 system to automatically mount home directories from a NetApp system configured with NTFS-only security

AD-bound logins work fine - I'm having problems with making it automatically mount and map user homedir shares. It complains of permission denied initially, but then I can cd to the home directory fine.

$ ssh username@hostname

NOTE: This system is for the use of authorized users only

username@hostname's password: 
Last login: Mon Feb 27 10:54:09 2012 from another.hostname
Could not chdir to home directory /home/AD/username: Permission denied
-bash-4.1$ cd
-bash-4.1$ pwd
/home/AD/username

This is the /etc/security/pam_mount.conf.xml:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
  <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,workgroup,nosetuids,noexec,nosuid,noserverino" />
  <mntoptions require="nosuid,nodev" />
  <logout wait="2" hup="0" term="yes" kill="0" />
  <mkmountpoint enable="1" remove="true" />
  <debug enable="0" />
  <volume fstype="cifs" server="home.ad" path="%(USER)" mountpoint="/home/AD/%(USER)" options="workgroup=ad,uid=%(USER),dir_mode=0700,file_mode=0700,nosuid,nodev,noserverino" />
</pam_mount>

This is /etc/pam.d/password-auth:

# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_mount.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_mount.so
session     optional      pam_krb5.so

At login time, I see the following error in /var/log/messages:

Feb 27 14:28:49 hostname kernel: type=1400 audit(1330381729.009:4304): avc:  denied  { search } for  pid=3855 comm="sshd" name="/" dev=cifs ino=143 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cifs_t:s0 tclass=dir

Just turning off SELinux isn't an option - I'd like to work out how to fix it, as I assume this is the root cause. Can someone give me some pointers?

theducks
  • 13
  • 1
  • 3

1 Answers1

0

There doesnt appear to be any relevent policy that permits this by default. This is because pam is loading modules in the sshd_t context and trying to do funky stuff not normally associated with something sshd_t types should be doing.

To fix this stick the below in a file, probably calling it mysshd.te;

policy_module(mysshd, 0.0.1)

gen_require(`
    type cifs_t;
    type sshd_t;
')

read_files_pattern(sshd_t, cifs_t, cifs_t, { file, dir})
# If that doesnt work, try this
#manage_files_pattern(sshd_t, cifs_t, cifs_t {file, dir})

Compile it by running the following command: 

make -f /usr/share/selinux/devel/Makefile

To make it and load it:

make -f /usr/share/selinux/devel/Makefile load

Then, try again.

Matthew Ife
  • 22,927
  • 2
  • 54
  • 71