Redhat – Home directories created with wrong Selinux context

redhatrhel6selinux

[root@tst-01 home]# ls -Z
drwxr-xr-x. ujjain   users          system_u:object_r:home_root_t:s0 ujjain
drwxr-xr-x. johndoe   users          system_u:object_r:home_root_t:s0 johndoe

The selinux context should be object_r:user_home_dir_t.

[root@tst-01 ~]# sesearch -T -t home_root_t
Found 10 semantic te rules:
   type_transition oddjob_mkhomedir_t home_root_t : dir user_home_dir_t;
   type_transition automount_t home_root_t : dir automount_tmp_t;
   type_transition lsassd_t home_root_t : dir user_home_dir_t;
   type_transition useradd_t home_root_t : dir user_home_dir_t;
   type_transition firstboot_t home_root_t : dir user_home_dir_t;
   type_transition smbd_t home_root_t : dir user_home_dir_t;
   type_transition quota_t home_root_t : file quota_db_t;
   type_transition sysadm_t home_root_t : dir user_home_dir_t;
   type_transition cups_pdf_t home_root_t : dir user_home_dir_t;
   type_transition postfix_virtual_t home_root_t : dir user_home_dir_t;

[root@tst-01 ~]#

New home-directories are created with the wrong Selinux context. I can fix the selinux context with chcon, but this creates problems on multiple servers.

What can be the reason the context was set wrong in the first place?

Best Answer

Adding to this question for future people who may come across it. If you are putting home directories on an NFS share, you will need to set the correct SELinux context. Assuming your nfs home directory is /nfshome, do the following:

[root@host /]# semanage fcontext -a -e /home /nfshome
[root@host /]# restorecon -vR /nfshome

Related Solutions

Samba – pam_mount of smb share on rhel6, home directory not available for login – probably SELinux

There doesnt appear to be any relevent policy that permits this by default. This is because pam is loading modules in the sshd_t context and trying to do funky stuff not normally associated with something sshd_t types should be doing.

To fix this stick the below in a file, probably calling it mysshd.te;

policy_module(mysshd, 0.0.1)

gen_require(`
    type cifs_t;
    type sshd_t;
')

read_files_pattern(sshd_t, cifs_t, cifs_t, { file, dir})
# If that doesnt work, try this
#manage_files_pattern(sshd_t, cifs_t, cifs_t {file, dir})

Compile it by running the following command:

make -f /usr/share/selinux/devel/Makefile

To make it and load it:

make -f /usr/share/selinux/devel/Makefile load

Then, try again.

Centos – How to allow unprivileged apache/PHP to do a root task (CentOS)

Create a script that implements the commands you describe, and run setuid on it to enable it to run as root when anyone invokes it. See http://en.wikipedia.org/wiki/Setuid for more information on setuid.

From PHP, you can then just call system('/bin/setupNewUser'); as usual and the script will be ran as root.

Alternative solution that limits the injection opportunities and works on systems with setuid execution on scripts disabled:

Create a small program that does have setuid. An example listed below:

#include <stdlib.h>
#include <iostream>
#include <string>

using namespace std;

int main(int argc, char* argv[])
{
    if (argc != 2)
    {
        cout << "Invalid arguments";
        return 1;
    }

    //make sure the argument passed to the script has only [a-z]
    for (char* i = argv[1]; *i != '\0'; i++)
    {
       //check if the current character falls outside an allowed range
       if (!(
           //Allowed ranges:
           // between a and z
           ('a' <= *i && *i <= 'z') 
           // between 0 and 9
           || ('0' <= *i && *i <= '9')
           // '_' or '-'
           || ('_' == *i)
           || ('-' == *i)
       ))
       {
           cout << "Illegal character in username: " << *i << endl;
           return 2;
       }
    }

    //append the username
    string command = string("/test/setupUser.sh ");
    command += string(argv[1]);

    //execute the command and return the result transparently
    // return system(command.c_str());
    // * OR *
    // call mkdir directly
}

Call the setuid program from php

system('/test/setupUser '.escapeshellarg($username));

Related Topic