Permission denied rb_file_s_lstat with SELinux and local home directories

Hi,

I have OnDemand installed on two servers, both with SELinux enabled. Both servers use local (i.e. not NFS) home directories and appropriate SE booleans have been set, following the documentation:

use_nfs_home_dirs --> off
ondemand_use_nfs --> off
ondemand_manage_user_home_dir --> on

When I try to use the Files app, I see the following error message:

Initially, nothing relevant is shown within /var/log/audit/audit.log however, if I disable SELinux via setenforce 0 then I can use the Files app without seeing this error. When I reactivate SELinux, this error returns.

Following some hints in $Home Directory Doesn't Exist (CAS, SELinux, & University Controlled AD) I disabled the SELinux filtering via semodule -DB and then found the following relevant entry in /var/log/audit/audit.log:

type=AVC msg=audit(1666728916.263:393): avc:  denied  { getattr } for  pid=3820 comm="utils.rb:110" path="/home/dvi322/.config" dev="vda1" ino=419446355 scontext=system_u:system_r:ood_pun_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=dir permissive=0

Would you have any ideas on how to fix this? Many thanks in advance and thanks for all the great work you do for the OnDemand software.

Hey thanks for posting.

I am not sure what is happening here as SELinux can be a bit tricky. @tdockendorf you may have better insight into this, any clue what they need to do to clear the SELinux errors?

First a word of warning. Local home directories almost never work with OnDemand since OnDemand will write files to user’s home that are expected to be accessible on compute nodes. The time when it works is if OnDemand is on the NFS server so the $HOME is local to OnDemand but served as NFS to compute.

That said, to address the SELinux issues first try this to see if the context on $HOME/.config is correct:

restorecon -R -n -v /home/dvi322/.config

If the command outputs anything, remove the -n flag to restore the correct contexts. OnDemand expects to be able to access things with user_home_dir_t when the ondemand_manage_user_home_dir is enabled.

If the contexts don’t change with restorecon the next step is to generate a custom SELinux policy. When dealing with the “dontaudit” denials, it gets really tricky. These are my recommended steps:

# Make sure system and OnDemand is relatively idle and not used
# Truncate audit log
> /var/log/audit/audit.log
# Disable dontaudit
semodule -DB
# Do things in OnDemand that are blocked with SELinux
# Then turn dontaudit back on
semodule -B
# Now generate custom policy
cat /var/log/audit/audit.log | audit2allow -M ood
semodule -i ood.pp

There will likely be more denials besides the getattr if OnDemand is trying to do anything besides getattr on the ~/.config location. So might have to repeat the steps and gradually build up a more complete custom policy. Once you get things working with your custom policy, can share the contents of ood.te from the audit2allow command and we can try and integrate those changes into the OnDemand SELinux policy.

Also be aware that when you diable the “dontaudit” you will likely get a lot of noise in the custom policy you might have to clean up. Anything that doesn’t pertain to ood_pun_t is likely not related to OnDemand and just system noise.