Right, that did it (after i started the oddjobd service, that is). Now, the original reason i turned selinux back on was to use xguest....saddly, this isn't working still...
On Tue, Nov 4, 2008 at 11:21 AM, Daniel J Walsh <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Matt Nicholson wrote: > > So, I have an environment, where we pull user data/auth from > ldap/kerberos > > for a bunch of fedora workstations. I would love to have selinux turned > on > > on these, but, right now it jsut doesn't work with our setup. > > > > See, your users home directories are in a few different places. for the > most > > part, LDAP think their home is at /n/home, or /n/data/home. So, i have > /home > > bind mounted to those locations, and, sith selinux off, its all nice and > > happy. Another weird thing, is that /home is local on these workstations, > so > > when a user sits at a workstation for the first time, an empty homedir > must > > be created. We hope to move to nfs /home soon, but not yet. > > > Can you look at using pam_oddjob_mkhomedir rather then pam_mkhomedir > > yum install oddjob\* > > Should fix the problem. > > > once i turn it on, however, users cannot log in, and the home directoies > > cannot be created. I get selinux messages like: > > > > Summary: > > > > SELinux is preventing sshd (sshd_t) "create" to ./nichols2 (home_root_t). > > > > Detailed Description: > > > > SELinux denied access requested by sshd. It is not expected that this > access > > is > > required by sshd and this access may signal an intrusion attempt. It is > also > > possible that the specific version or configuration of the application is > > causing it to require additional access. > > > > Allowing Access: > > > > Sometimes labeling problems can cause SELinux denials. You could try to > > restore > > the default system file context for ./nichols2, > > > > restorecon -v './nichols2' > > > > If this does not work, there is currently no automatic way to allow this > > access. > > Instead, you can generate a local policy module to allow this access - > see > > FAQ > > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > > disable > > SELinux protection altogether. Disabling SELinux protection is not > > recommended. > > Please file a bug report ( > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > > against this package. > > > > Additional Information: > > > > Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 > > Target Context system_u:object_r:home_root_t:s0 > > Target Objects ./nichols2 [ dir ] > > Source sshd > > Source Path /usr/sbin/sshd > > Port <Unknown> > > Host dhcp-0016533596-c5-74 > > Source RPM Packages openssh-server-5.1p1-2.fc9 > > Target RPM Packages > > Policy RPM selinux-policy-3.3.1-103.fc9 > > Selinux Enabled True > > Policy Type targeted > > MLS Enabled True > > Enforcing Mode Enforcing > > Plugin Name catchall_file > > Host Name dhcp-0016533596-c5-74 > > Platform Linux dhcp-0016533596-c5-74 > > 2.6.26.6-79.fc9.i686 > > #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 > i686 > > Alert Count 1 > > First Seen Tue Nov 4 10:49:41 2008 > > Last Seen Tue Nov 4 10:49:41 2008 > > Local ID 803e925f-1d6e-4473-9054-dbaf0c0f3abd > > Line Numbers > > > > Raw Audit Messages > > > > host=dhcp-0016533596-c5-74 type=AVC msg=audit(1225813781.838:89): avc: > > denied { create } for pid=4956 comm="sshd" name="nichols2" > > scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 > > tcontext=system_u:object_r:home_root_t:s0 tclass=dir > > > > host=dhcp-0016533596-c5-74 type=SYSCALL msg=audit(1225813781.838:89): > > arch=40000003 syscall=39 success=no exit=-13 a0=b9b4f058 a1=1ed a2=8209e4 > > a3=b9b7d230 items=0 ppid=2341 pid=4956 auid=4294967295 uid=0 gid=0 euid=0 > > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 > comm="sshd" > > exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > key=(null) > > > > Thats for an ssh login attempt. I get the same for one via GDM. I've > tried > > adding "context=system_r:object_r:home_root_t" when i bind mount the > /home > > on /n/home etc, and no luck so far. do I need to relabel /n ? what/how > > should I? any help would be awesome. > > > > Thanks, > > > > Matt > > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iEYEARECAAYFAkkQdnUACgkQrlYvE4MpobPlnQCeI054kP0QjzCP1u4X5mr1yD9v > /jgAoJLJ3lfNDoBwnlk4CcyLyw0s3qdh > =Ly01 > -----END PGP SIGNATURE----- > > -- > fedora-list mailing list > fedora-list@redhat.com > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > Guidelines: > http://fedoraproject.org/wiki/Communicate/MailingListGuidelines >
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines