Samba
rhel6 上 smb 共享的 pam_mount,主目錄不可用於登錄 - 可能是 SELinux?
我在 RHEL 6 x86_64 系統上使用 Fedora 12 pam_mount / libHX RPM 從配置了僅 NTFS 安全性的 NetApp 系統自動掛載主目錄
AD 綁定登錄工作正常 - 我在使其自動掛載和映射使用者 homedir 共享時遇到問題。它最初抱怨權限被拒絕,但後來我可以 cd 到主目錄。
$ ssh username@hostname NOTE: This system is for the use of authorized users only username@hostname's password: Last login: Mon Feb 27 10:54:09 2012 from another.hostname Could not chdir to home directory /home/AD/username: Permission denied -bash-4.1$ cd -bash-4.1$ pwd /home/AD/username
這是 /etc/security/pam_mount.conf.xml:
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <pam_mount> <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,workgroup,nosetuids,noexec,nosuid,noserverino" /> <mntoptions require="nosuid,nodev" /> <logout wait="2" hup="0" term="yes" kill="0" /> <mkmountpoint enable="1" remove="true" /> <debug enable="0" /> <volume fstype="cifs" server="home.ad" path="%(USER)" mountpoint="/home/AD/%(USER)" options="workgroup=ad,uid=%(USER),dir_mode=0700,file_mode=0700,nosuid,nodev,noserverino" /> </pam_mount>
這是 /etc/pam.d/password-auth:
# cat /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_mount.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_mount.so session optional pam_krb5.so
在登錄時,我在 /var/log/messages 中看到以下錯誤:
Feb 27 14:28:49 hostname kernel: type=1400 audit(1330381729.009:4304): avc: denied { search } for pid=3855 comm="sshd" name="/" dev=cifs ino=143 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cifs_t:s0 tclass=dir
僅僅關閉 SELinux 不是一種選擇——我想弄清楚如何修復它,因為我認為這是根本原因。有人可以給我一些指示嗎?
預設情況下,似乎沒有任何相關政策允許這樣做。這是因為 pam 正在 sshd_t 上下文中載入模組並嘗試做一些通常與 sshd_t 類型應該做的事情無關的時髦的東西。
要修復此問題,請在文件中使用以下內容,可能稱其為 mysshd.te;
policy_module(mysshd, 0.0.1) gen_require(` type cifs_t; type sshd_t; ') read_files_pattern(sshd_t, cifs_t, cifs_t, { file, dir}) # If that doesnt work, try this #manage_files_pattern(sshd_t, cifs_t, cifs_t {file, dir})
通過執行以下命令編譯它:
make -f /usr/share/selinux/devel/Makefile
製作並載入它:
make -f /usr/share/selinux/devel/Makefile load
然後,再試一次。