We are using SSSD to authenticate users on CentOS servers. oddjobd-mkhomedir works perfectly fine when the default home directory is /home, but on a particular server, we had to change default home directory to /data, which is on a SAN mount.
Now, every time a user tries to log in, they are dropped into a bash shell with the following message.
Creating home directory for first.last.
Could not chdir to home directory /data/X.Y.local/first.last: No such file or directory
-bash-4.1$
I see the following AVC denial message for every attempt:
type=AVC msg=audit(1492004159.114:1428): avc: denied { create } for pid=2832
comm="mkhomedir" name="x.y.local"
scontext=system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c1023
tcontext=system_u:object_r:default_t:s0 tclass=dir
Have made sure to change the context for /data.
drwxr-xr-x. root root system_u:object_r:home_root_t:s0 data
If /data has the same context as /home, why is SELinux restricting oddjobd to create /data/X.Y.local/first.last ?
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
[UPDATE]
Not sure if this is the correct way to solve this, but after adding the following three entries user's are now able to log in and get to their home directories. For new user's directories are getting created based on the context's defined below.
semanage fcontext -a -t home_root_t /data
semanage fcontext -a -t user_home_dir_t /data/x.y.local
semanage fcontext -a -t user_home_t "/data/x.y.local(/.*)?"
Is this the correct way to get around this problem?
Best Answer
That last section with
semanage fcontextis the correct way to permanently set the context yes. You will need to runrestoreconto have it take effect though.restoreconwill take into account anything in/etc/selinux/targeted/contexts/files/file_contexts.local, which should have your custom fcontexts that you just added usingsemanageTo set these contexts temporarily, refer to the
chconcommand: