change direcory fails on logon

Support for security such as Firewalls and securing linux
Post Reply
someotherguy
Posts: 14
Joined: 2018/08/25 20:25:39

change direcory fails on logon

Post by someotherguy » 2019/01/14 19:11:59

I shut down my home server, installed a SATA to IDE converter and an old IDE tape drive. When I bring it back up and log in, I get the message:

Last login: Mon Jan 14 12:13:43 on tty1
-- <myusername> : /mnt/data/home/<myusername>: change directory failed: Permission denied
Logging in with home - "/"
[<myusername>@server /]$

At this point, I can cd to /mnt/data/home/<myusername> no problem. My research has suggested the problem is with SELinux.
Running ls -Z mnt/data/home gives me:

drwxrwx---. <myusername> Terry unconfirmed_u:object_r:samba_share_t:s0 <myusername>

I ran sealert -a /var/log/audit.log. The relevant part of the log file appears to be:

type=AVC
msg=audit(1547420498.369:118): avc: denied { search } for pid=7429 comm="login" name="<myusername>" dev="md126p1" ino=108920833 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=dir permissive=0

type=SYSCALL
msg=audit(1547420498.369:118): arch=x86_64 syscall=chdir success=no exit=EACCES a0=117e242 a1=0 a2=4000000 a3=7ffeada1dc20 items=0 ppid=6449 pid=7429 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=tty1 ses=1 comm=login exe=/usr/bin/login subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)

Hash: login,local_login_t,samba_share_t,dir,search

I want to be able to access /mnt/data/home/<myusername> from my Windows 10 desktop, which I log on to with a different user name and password. In order to do so I found it necessary to run (prior to installing the adapter and tape drive)

chcon -t samba_share_t -R /mnt/data/home/<myusername>

My research led me to believe that the chcon command's effects are temporary, so I re-ran it. However, that has not solved the problem.
Any suggestions/help greatly apprecciated.

someotherguy
Posts: 14
Joined: 2018/08/25 20:25:39

Re: change direcory fails on logon

Post by someotherguy » 2019/01/14 21:40:34

More troubleshooting info:
I discovered the instruction "cat /var/log/audit/audit.log | audit2why"

The relevant part of the output appears to be:

type=AVC
msg=audit(1547489857.350:121): avc: denied { search } for pid=7434 comm="login" name="<myusername>" dev="md126p1" ino=108920833
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=dir permissive=0

Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

Not sure how to go about doing this. Continuing to research. As before, any help/suggestions greatly appreciated.

pjsr2
Posts: 433
Joined: 2014/03/27 20:11:07

Re: change direcory fails on logon

Post by pjsr2 » 2019/01/15 08:33:53

Section 7 in https://wiki.centos.org/HowTos/SELinux may be of your help.

User avatar
TrevorH
Forum Moderator
Posts: 26983
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: change direcory fails on logon

Post by TrevorH » 2019/01/15 11:47:49

Despite it not actually being a samba home directory, it's set up with the selinux contexts that says it is so perhaps the selinux boolean use_samba_home_dirs might help. It defaults to off so using setsebool to toggle it and checking if it works would be easy. If it helps then don't forget to make that setsebool persistent using -P.
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

someotherguy
Posts: 14
Joined: 2018/08/25 20:25:39

Re: change direcory fails on logon

Post by someotherguy » 2019/01/15 17:59:40

I ran audit2allow -a and got the following:

#============= local_login_t ==============
allow local_login_t samba_share_t:dir search;

#============= smbd_t ==============

#!!!! WARNING: 'unlabeled_t' is a base type.
#!!!! This avc can be allowed using the boolean 'samba_export_all_rw'
allow smbd_t unlabeled_t:dir setattr;

#!!!! This avc can be allowed using one of the these booleans:
# samba_export_all_ro, samba_export_all_rw
allow smbd_t unlabeled_t:file getattr;

#!!!! This avc can be allowed using the boolean 'samba_export_all_rw'
allow smbd_t user_home_dir_t:dir setattr;

#============= unconfined_t ==============
allow unconfined_t self:capability2 mac_admin;

From what I understand, the first entry appears to be relevant to my current issue. I suspect the others are related to issues I didn't know I had. Again, based on my current understanding, where setting a boolean will resolve the issue, it is listed first. Lines lacking a # are policies that can also resolve the issue. My impression is that it is better to resolve the issue by setting a boolean than using a policy, if possible. I'm currently looking into how to implement these recommendations. Since several of the entries can be resolved by using the boolean 'samba_export_all_rw', I'll probably start there, even though I don't expect it to solve my original issue.

someotherguy
Posts: 14
Joined: 2018/08/25 20:25:39

Re: change direcory fails on logon

Post by someotherguy » 2019/01/15 22:02:56

I ran "sudo setsebool samba_export_all_rw on -P" since multiple entries obtained by running "audit2allow -a" listed this as a fix. As expected, this did not resolve my original issue. I then I ran "sudo audit2allow -a -M mylocal_login", followed by "sudo semodule -i mylocal_login.pp" to implement the policy thereby generated. While I was at it, I also ran "sudo audit2allow -a -M unconfined", followed by "sudo semodule -i unconfined.pp". I no longer get the error message when I reboot and log on. Thanks to those who offered suggestions. Hope others may find this thread useful.

User avatar
TrevorH
Forum Moderator
Posts: 26983
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: change direcory fails on logon

Post by TrevorH » 2019/01/16 00:59:27

allow smbd_t unlabeled_t:dir setattr;
This indicates that you have unlabeled files on your system which is the real cause of the errors. You should run restorecon -RFv against the directory in question to set the contexts correctly.
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

someotherguy
Posts: 14
Joined: 2018/08/25 20:25:39

Re: change direcory fails on logon

Post by someotherguy » 2019/01/16 18:10:26

TrevorH wrote:
2019/01/16 00:59:27
allow smbd_t unlabeled_t:dir setattr;
This indicates that you have unlabeled files on your system which is the real cause of the errors. You should run restorecon -RFv against the directory in question to set the contexts correctly.
[/quote

I'm not sure what the directory in question might be. Since the original problem concerns my home directory, I ran ls -Z on it. I did not see any files listed there that did not have a label associated with them. I then did a little research on restorecon, and found an option to create a list of files with an incorrect context but not change anything (restorecon -n -o incorrectlabels.txt). I ran it on the entire RAID, which contains everything except the OS, which is on a SSD. The text file was created, but it had no entries. I'm confused. Regardless, my original reason for posting this plea for help has been resolved, so I'm calling it a win and moving on.

User avatar
TrevorH
Forum Moderator
Posts: 26983
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: change direcory fails on logon

Post by TrevorH » 2019/01/16 18:34:38

The original avc message in the audit log will have an ino= field in it which tells you the inode number of the file in question. Using that and hte mount point of the device in question (device is also in the avc message but you need to work out where it's mounted) you can use find /mountpoint -inum nnnn to tell you the file in question.
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “CentOS 7 - Security Support”