(misc)-> Why I hate Selinux (Could not chdir to home directory Permission denied)
submited by Russell Mon 13 Apr 09|
Edited Thu 19 Aug 10
so I created a new /home directory via LVM edited fstab so it would mount at boot then moved the old /home contents into the new one. |
But then I get this:
To this my first reaction is WTF? I mean how can I not login to the directory, but then change to it without a problem. I googled on the error message for a while, and I found a bunch of stuff telling me that the problem was that somehow the permissions on / were wrong. (how do you even get ls to show you these ?? ) But that wasn't it. I tried deleting and re-creating the user.. didn't work . I tried moving the user directory back to the root partition.. (and updating /etc/passwd) still failed..
$ ssh 192.168.0.37
Last login: Mon Apr 13 08:43:57 2009 from 192.168.0.11
Could not chdir to home directory /home/russell: Permission denied
[russell@auxbackup /]$ cd
[russell@auxbackup ~]$ pwd
After way too much time screwing with this, I remembered that selinux is implemented as a security level ontop of the file permissions. I changed the current selinux enforcing mode to "Permissive" and suddenly it started working. I could login without getting that error.
it turns out that the new home directoy I created had the permitions :
drwxr-xr-x root root system_u:object_r:file_t:s0 home
but should have been:
drwxr-xr-x root root system_u:object_r:home_root_t:s0 home
This problem can be corrected with this command (as root or sudo)
chcon -t home_root_t /home
What is so insidious about this is that because most applications arn't selinux aware (like apparently bash), they give error messages that are exactly the same as the error messages they would give for traditional file permission problems. This gives the error's recipient no clue where to look for the problem.
I really like the *idea* of selinux security. I like the *idea* that you can limit exactly what a program can do based on a set of rules. So, if it goes rouge or is comprimised the scope of possible damage is very limited. But I think the only effective way implement it is to make sure every application that does file access is upgraded so that it can know why the access was limited. ...
Either that, or selinux enforcing systems should ship with all files and directories set to 777 (rwxrwxrwx for all users ) so all the controls are handled *only* at the selinux level.
Got 500 OOPS: cannot change directory:/home/user from vsftp. Turns out to be a selux problem:
this fix worked.
getsebool -a | grep ftp
setsebool -P ftp_home_dir on
getsebool -a | grep ftp
selinux and samba (smb.conf) (Russell)
disable selinux from the command line (Russell)
SELinux is of the devil (Dandapani)
(no title provided) (Anonymous)
Add comment or question...: