genhomedircon errors with NIS

genhomedircon errors with NIS

[Bandan Das]

Hello,

This is a RHEL 5.3 system with SELinux configured in the targeted mode.
Whenever genhomedircon is invoked, either as part of loading a new
policy module or anything else, genhomedircon will report errors going
through the NIS database :

bdas homedir /h/bdas or its parent directory conflicts with a
defined context in /etc/selinux/targeted/contexts/files/file_contexts,
/usr/sbin/genhomedircon will not create a new context. This usually
indicates an incorrectly defined system account.  If it is a system
account please make sure its login shell is /sbin/nologin.

/h is where the NIS home directory is automounted and the above message
appears for all the NIS users.

As expected, running genhomedircon manually with the "-n" switch will
not spew these messages. If I look at file_contexts, I do not find any
specified context for /h.


Any ideas ?

 

-- 
BSD


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: genhomedircon errors with NIS

[Daniel J Walsh]

On 04/20/2009 02:54 PM, Bandan Das wrote:
> Hello,
>
> This is a RHEL 5.3 system with SELinux configured in the targeted mode.
> Whenever genhomedircon is invoked, either as part of loading a new
> policy module or anything else, genhomedircon will report errors going
> through the NIS database :
>
> bdas homedir /h/bdas or its parent directory conflicts with a
> defined context in /etc/selinux/targeted/contexts/files/file_contexts,
> /usr/sbin/genhomedircon will not create a new context. This usually
> indicates an incorrectly defined system account.  If it is a system
> account please make sure its login shell is /sbin/nologin.
>
> /h is where the NIS home directory is automounted and the above message
> appears for all the NIS users.
>
> As expected, running genhomedircon manually with the "-n" switch will
> not spew these messages. If I look at file_contexts, I do not find any
> specified context for /h.
>
>
> Any ideas ?
>
>
>
genhomedircon is trying to label the directory above /h "/" to be 
home_root_t.  It sees this directory and complains.  I think the problem 
here is you actually have a user /h.  What does the homedir of one of 
the users look like?

We have the ability to disable genhomedircon in Fedora 10 and beyond.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: genhomedircon errors with NIS

[Bandan Das]

On Mon, 2009-04-20 at 15:08 -0400, Daniel J Walsh wrote:
> On 04/20/2009 02:54 PM, Bandan Das wrote:
> > Hello,
> >
> > This is a RHEL 5.3 system with SELinux configured in the targeted mode.
> > Whenever genhomedircon is invoked, either as part of loading a new
> > policy module or anything else, genhomedircon will report errors going
> > through the NIS database :
> >
> > bdas homedir /h/bdas or its parent directory conflicts with a
> > defined context in /etc/selinux/targeted/contexts/files/file_contexts,
> > /usr/sbin/genhomedircon will not create a new context. This usually
> > indicates an incorrectly defined system account.  If it is a system
> > account please make sure its login shell is /sbin/nologin.
> >
> > /h is where the NIS home directory is automounted and the above message
> > appears for all the NIS users.
> >
> > As expected, running genhomedircon manually with the "-n" switch will
> > not spew these messages. If I look at file_contexts, I do not find any
> > specified context for /h.
> >
> >
> > Any ideas ?
> >
> >
> >
> genhomedircon is trying to label the directory above /h "/" to be 
> home_root_t.  It sees this directory and complains.  I think the problem 
> here is you actually have a user /h.  
I am sure I don't have a user "/h" on my local system. I also did a
"ypcat passwd" and scanned all the users to see if there is anyone with
name "h" or "\h". 

> What does the homedir of one of 
> the users look like?
Do you mean on the NIS server ?
Here is one of the entries from "ypcat passwd" :

name:x:22832:263:First Last:/h/name:/bin/tcsh

> We have the ability to disable genhomedircon in Fedora 10 and beyond.
> 
Can I somehow prevent genhomedircon from touching /h at all ? Using the
"-n" switch does make things different but I am not sure if it's going
to create any other problems.

Rich, I had found another similar bug :
https://bugzilla.redhat.com/show_bug.cgi?id=186594 but it appears to be
a different problem.

Thanks!
Bandan

-- 
BSD


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: genhomedircon errors with NIS

[Daniel J Walsh]

On 04/20/2009 03:36 PM, Bandan Das wrote:
> On Mon, 2009-04-20 at 15:08 -0400, Daniel J Walsh wrote:
>> On 04/20/2009 02:54 PM, Bandan Das wrote:
>>> Hello,
>>>
>>> This is a RHEL 5.3 system with SELinux configured in the targeted mode.
>>> Whenever genhomedircon is invoked, either as part of loading a new
>>> policy module or anything else, genhomedircon will report errors going
>>> through the NIS database :
>>>
>>> bdas homedir /h/bdas or its parent directory conflicts with a
>>> defined context in /etc/selinux/targeted/contexts/files/file_contexts,
>>> /usr/sbin/genhomedircon will not create a new context. This usually
>>> indicates an incorrectly defined system account.  If it is a system
>>> account please make sure its login shell is /sbin/nologin.
>>>
>>> /h is where the NIS home directory is automounted and the above message
>>> appears for all the NIS users.
>>>
>>> As expected, running genhomedircon manually with the "-n" switch will
>>> not spew these messages. If I look at file_contexts, I do not find any
>>> specified context for /h.
>>>
>>>
>>> Any ideas ?
>>>
>>>
>>>
>> genhomedircon is trying to label the directory above /h "/" to be
>> home_root_t.  It sees this directory and complains.  I think the problem
>> here is you actually have a user /h.
> I am sure I don't have a user "/h" on my local system. I also did a
> "ypcat passwd" and scanned all the users to see if there is anyone with
> name "h" or "\h".
>
>> What does the homedir of one of
>> the users look like?
> Do you mean on the NIS server ?
> Here is one of the entries from "ypcat passwd" :
>
> name:x:22832:263:First Last:/h/name:/bin/tcsh
>
>> We have the ability to disable genhomedircon in Fedora 10 and beyond.
>>
> Can I somehow prevent genhomedircon from touching /h at all ? Using the
> "-n" switch does make things different but I am not sure if it's going
> to create any other problems.
>
> Rich, I had found another similar bug :
> https://bugzilla.redhat.com/show_bug.cgi?id=186594 but it appears to be
> a different problem.
>
> Thanks!
> Bandan
>
genhomedircon on RHEL5 is a python script so you can edit it and have it 
exit on start or ignore /h

But if we update policycoreutils, you changes would get overwritten.

I believe this works but I never tried it.

Add the following to /etc/selinux/semanage.conf and it will use the 
alternate script instead of the standard


[genhomedircon]
path = /usr/local/sbin/genhomedircon_modified args = -t $@
[end]




[genhomedircon]
path = /usr/bin/true args = -t $@
[end]

would cause it to always succeed and do nothing.  ( I think.)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: genhomedircon errors with NIS

[Alexey S]

On Mon, Apr 20, 2009 at 03:50:24PM -0400, Daniel J Walsh wrote:
> On 04/20/2009 03:36 PM, Bandan Das wrote:
>> ...
> genhomedircon on RHEL5 is a python script so you can edit it and have it  
> exit on start or ignore /h
>
> But if we update policycoreutils, you changes would get overwritten.
>
> I believe this works but I never tried it.
>
> Add the following to /etc/selinux/semanage.conf and it will use the  
> alternate script instead of the standard
>
>
> [genhomedircon]
> path = /usr/local/sbin/genhomedircon_modified args = -t $@
> [end]
>
>
>
>
> [genhomedircon]
> path = /usr/bin/true args = -t $@
> [end]
>
> would cause it to always succeed and do nothing.  ( I think.)
Wouldn't it be better to not try to autogenerate the list of directories to be labeled
with home_root_t ?
Why is that impossible to generate that list once and save it somewhere in /etc/ and allow
sysadmin to edit that list to suit his needs?
Make the first autogeneration loud and verbose and document that config everywhere.
You can't guess every possible system's configuration anyway.

-- 
Alexey S

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: genhomedircon errors with NIS

[Daniel J Walsh]

On 04/21/2009 05:53 AM, Alexey S wrote:
> On Mon, Apr 20, 2009 at 03:50:24PM -0400, Daniel J Walsh wrote:
>> On 04/20/2009 03:36 PM, Bandan Das wrote:
>>> ...
>> genhomedircon on RHEL5 is a python script so you can edit it and have it
>> exit on start or ignore /h
>>
>> But if we update policycoreutils, you changes would get overwritten.
>>
>> I believe this works but I never tried it.
>>
>> Add the following to /etc/selinux/semanage.conf and it will use the
>> alternate script instead of the standard
>>
>>
>> [genhomedircon]
>> path = /usr/local/sbin/genhomedircon_modified args = -t $@
>> [end]
>>
>>
>>
>>
>> [genhomedircon]
>> path = /usr/bin/true args = -t $@
>> [end]
>>
>> would cause it to always succeed and do nothing.  ( I think.)
> Wouldn't it be better to not try to autogenerate the list of directories to be labeled
> with home_root_t ?
> Why is that impossible to generate that list once and save it somewhere in /etc/ and allow
> sysadmin to edit that list to suit his needs?
> Make the first autogeneration loud and verbose and document that config everywhere.
> You can't guess every possible system's configuration anyway.
>
Actually I am working on removing genhomedircon all together in the 
upstream.  I would like to force the admins to tell us where the home 
directories for each machine are located.

http://danwalsh.livejournal.com/27571.html

THe semantics of figuring out what a Home dir is and where to put labels 
is very difficult and prone to error, as you are seeing.  So having the 
admin tell us with perhaps a tool to help them would be better then the 
current situation.  But this is for RHEL6 and RHEL5 is not likely to change.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: genhomedircon errors with NIS

[Bandan Das]

On Mon, 2009-04-20 at 15:50 -0400, Daniel J Walsh wrote:
> On 04/20/2009 03:36 PM, Bandan Das wrote:
> > On Mon, 2009-04-20 at 15:08 -0400, Daniel J Walsh wrote:
> >> On 04/20/2009 02:54 PM, Bandan Das wrote:
> >>> Hello,
> >>>
> >>> This is a RHEL 5.3 system with SELinux configured in the targeted mode.
> >>> Whenever genhomedircon is invoked, either as part of loading a new
> >>> policy module or anything else, genhomedircon will report errors going
> >>> through the NIS database :
> >>>
> >>> bdas homedir /h/bdas or its parent directory conflicts with a
> >>> defined context in /etc/selinux/targeted/contexts/files/file_contexts,
> >>> /usr/sbin/genhomedircon will not create a new context. This usually
> >>> indicates an incorrectly defined system account.  If it is a system
> >>> account please make sure its login shell is /sbin/nologin.
> >>>
> >>> /h is where the NIS home directory is automounted and the above message
> >>> appears for all the NIS users.
> >>>
> >>> As expected, running genhomedircon manually with the "-n" switch will
> >>> not spew these messages. If I look at file_contexts, I do not find any
> >>> specified context for /h.
> >>>
> >>>
> >>> Any ideas ?
> >>>
> >>>
> >>>
> >> genhomedircon is trying to label the directory above /h "/" to be
> >> home_root_t.  It sees this directory and complains.  I think the problem
> >> here is you actually have a user /h.
> > I am sure I don't have a user "/h" on my local system. I also did a
> > "ypcat passwd" and scanned all the users to see if there is anyone with
> > name "h" or "\h".
> >
> >> What does the homedir of one of
> >> the users look like?
> > Do you mean on the NIS server ?
> > Here is one of the entries from "ypcat passwd" :
> >
> > name:x:22832:263:First Last:/h/name:/bin/tcsh
> >
> >> We have the ability to disable genhomedircon in Fedora 10 and beyond.
> >>
> > Can I somehow prevent genhomedircon from touching /h at all ? Using the
> > "-n" switch does make things different but I am not sure if it's going
> > to create any other problems.
> >
> > Rich, I had found another similar bug :
> > https://bugzilla.redhat.com/show_bug.cgi?id=186594 but it appears to be
> > a different problem.
> >
> > Thanks!
> > Bandan
> >
> genhomedircon on RHEL5 is a python script so you can edit it and have it 
> exit on start or ignore /h
> 
> But if we update policycoreutils, you changes would get overwritten.
> 
> I believe this works but I never tried it.
> 
> Add the following to /etc/selinux/semanage.conf and it will use the 
> alternate script instead of the standard
> 
> 
> [genhomedircon]
> path = /usr/local/sbin/genhomedircon_modified args = -t $@
> [end]
> 
> 
> 
> 
> [genhomedircon]
> path = /usr/bin/true args = -t $@
> [end]
> 
> would cause it to always succeed and do nothing.  ( I think.)
> 
> --
Thanks Daniel.

I just updated the original script itself. But as you said, an update on
policycoreutils will make my changes go away. So, I will stick to using
a custon script and editing semanage.conf. The other method of
using /usr/bin/true didn't work for me :(

-- 
BSD


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.