Re: F12 beta, ldap authentication and NFS mounted home

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 22 Oct 2009 08:28:04 -0400
Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:

> On 10/22/2009 02:16 AM, Jeroen van Meeuwen wrote:
> > On 10/22/2009 02:04 AM, Tim Fenn wrote:
> >> I upgraded a machine from F10 to F12 beta - its a client machine
> >> that mounts /home over NFS and authenticates over LDAP (however,
> >> its a mac server that sets /home as /Volumes/Homes, which I have
> >> set up as a pointer to /home). use_nfs_home_dirs is on and I can
> >> log in via SSH or the console, but the graphical login fails when
> >> clicking "log in" with the following selinux error:
> >>
> >> SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read"
> >> access on Homes.
> >>
> >> I've attached the full sealart, am I missing something
> >> obvious/simple?
> >>
> > 
> > FWIW, I had something similar with gdm-greeter, I think. I also had
> > a different problem[1] with gdm so I didn't give it much attention
> > at the time.
> > 
> I need to see the AVC in /var/log/audit/audit.log to make sure I know
> the reason.
> 

OK, I spent a bit more time on this today (sorry for the late response,
been busy with all these new operating systems this week!).  Upon
login, I get the audit_1.log (see attached), and upon firing up startx,
I get audit_2.log - it seems the link to /home is whats causing the
problem, audit2allow suggests

allow local_login_t default_t:lnk_file read;
allow consolekit_t default_t:lnk_file read;

but I'm not sure thats the "proper" solution - would it be better to
set /Volumes/Homes as the NFS mount and /home as a pointer to it?

-Tim

-- 
CAPS LOCK IS THE CRUISE CONTROL OF AWESOMNESS

type=USER_AUTH msg=audit(1256337847.406:24021): user pid=1702 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="fenn" exe="/bin/login" hostname=? addr=? terminal=tty3 res=success'
type=USER_ACCT msg=audit(1256337847.512:24022): user pid=1702 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="fenn" exe="/bin/login" hostname=? addr=? terminal=tty3 res=success'
type=LOGIN msg=audit(1256337847.528:24023): login pid=1702 uid=0 old auid=4294967295 new auid=1029 old ses=4294967295 new ses=3
type=USER_ROLE_CHANGE msg=audit(1256337847.640:24024): user pid=1702 uid=0 auid=1029 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023: exe="/bin/login" hostname=? addr=? terminal=tty3 res=success'
type=USER_START msg=audit(1256337848.080:24025): user pid=1702 uid=0 auid=1029 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="fenn" exe="/bin/login" hostname=? addr=? terminal=tty3 res=success'
type=AVC msg=audit(1256337848.085:24026): avc:  denied  { read } for  pid=1702 comm="login" name="Homes" dev=dm-0 ino=218 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1256337848.085:24026): arch=c000003e syscall=4 success=no exit=-13 a0=18a7b00 a1=7fff9b0e1060 a2=7fff9b0e1060 a3=0 items=0 ppid=1 pid=1702 auid=1029 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty3 ses=3 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=CRED_ACQ msg=audit(1256337848.199:24027): user pid=1702 uid=0 auid=1029 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="fenn" exe="/bin/login" hostname=? addr=? terminal=tty3 res=success'
type=AVC msg=audit(1256337848.200:24028): avc:  denied  { read } for  pid=1702 comm="login" name="Homes" dev=dm-0 ino=218 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1256337848.200:24028): arch=c000003e syscall=2 success=no exit=-13 a0=7fff9b0e2950 a1=0 a2=0 a3=7fff9b0e1360 items=0 ppid=1 pid=1702 auid=1029 uid=0 gid=0 euid=1029 suid=1029 fsuid=1029 egid=20 sgid=20 fsgid=20 tty=tty3 ses=3 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=USER_LOGIN msg=audit(1256337848.204:24029): user pid=1702 uid=0 auid=1029 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=login id=1029 exe="/bin/login" hostname=? addr=? terminal=tty3 res=success'
type=AVC msg=audit(1256337848.218:24030): avc:  denied  { read } for  pid=2066 comm="login" name="Homes" dev=dm-0 ino=218 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1256337848.218:24030): arch=c000003e syscall=80 success=no exit=-13 a0=180fe80 a1=0 a2=0 a3=7fff9b0e1370 items=0 ppid=1702 pid=2066 auid=1029 uid=1029 gid=20 euid=1029 suid=1029 fsuid=1029 egid=20 sgid=20 fsgid=20 tty=tty3 ses=3 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1256337974.899:24031): avc:  denied  { read } for  pid=2205 comm="ck-get-x11-serv" name="Homes" dev=dm-0 ino=218 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1256337974.899:24031): arch=c000003e syscall=21 success=no exit=-13 a0=7fff63c7ef54 a1=4 a2=3 a3=7fff63c7ce80 items=0 ppid=2204 pid=2205 auid=4294967295 uid=1029 gid=20 euid=1029 suid=1029 fsuid=1029 egid=20 sgid=20 fsgid=20 tty=(none) ses=4294967295 comm="ck-get-x11-serv" exe="/usr/libexec/ck-get-x11-server-pid" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux