Created attachment 297219 [details] selinux module This fix requires oddjob (from upstream) to be installed as an selinux module. It also requires /sbin/mkhomedir_helper to be oddjob_mkhomedir_exec_t. we could also don't audit this log if we want, but since it should only occur during the first login, might be alright to keep around. type=AVC msg=audit(1325087090.549:751): avc: denied { search } for pid=13389 comm="mkhomedir_helpe" name="sys" dev=proc ino=4026531852 scontext=system_u:system_r:oddjob_mkhomedir_t tcontext=system_u:object_r:sysctl_t tclass=dir type=SYSCALL msg=audit(1325087090.549:751): arch=c000003e syscall=2 success=no exit=-13 a0=6c166ac4ca10 a1=0 a2=1b6 a3=0 items=0 ppid=13386 pid=13389 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=66 comm="mkhomedir_helpe" exe="/sbin/mkhomedir_helper" subj=system_u:system_r:oddjob_mkhomedir_t key=(null)
Action plan: - Have ssh.te updated to call the oddjob stuff optionally (and send upstream) - Mark the helper application (/sbin/mkhomedir_helper) correctly (and send upstream) - Create a sec-policy/selinux-oddjob package (pending) - Have sys-libs/pam pull this package as dependency Will be part of rev 10.
In hardened-dev overlay
Pushed to main tree, ~arch
Marked as stable in tree