On Sat, 24 Oct 2009 07:58:47 -0400 Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > On 10/23/2009 07:08 PM, Tim Fenn wrote: > > On Thu, 22 Oct 2009 08:28:04 -0400 > > Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > > > >> On 10/22/2009 02:16 AM, Jeroen van Meeuwen wrote: > >>> On 10/22/2009 02:04 AM, Tim Fenn wrote: > >>>> I upgraded a machine from F10 to F12 beta - its a client machine > >>>> that mounts /home over NFS and authenticates over LDAP (however, > >>>> its a mac server that sets /home as /Volumes/Homes, which I have > >>>> set up as a pointer to /home). use_nfs_home_dirs is on and I can > >>>> log in via SSH or the console, but the graphical login fails when > >>>> clicking "log in" with the following selinux error: > >>>> > >>>> SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" > >>>> access on Homes. > >>>> > >>>> I've attached the full sealart, am I missing something > >>>> obvious/simple? > >>>> > >>> > >>> FWIW, I had something similar with gdm-greeter, I think. I also > >>> had a different problem[1] with gdm so I didn't give it much > >>> attention at the time. > >>> > >> I need to see the AVC in /var/log/audit/audit.log to make sure I > >> know the reason. > >> > > > > OK, I spent a bit more time on this today (sorry for the late > > response, been busy with all these new operating systems this > > week!). Upon login, I get the audit_1.log (see attached), and upon > > firing up startx, I get audit_2.log - it seems the link to /home is > > whats causing the problem, audit2allow suggests > > > > allow local_login_t default_t:lnk_file read; > > allow consolekit_t default_t:lnk_file read; > > > > but I'm not sure thats the "proper" solution - would it be better to > > set /Volumes/Homes as the NFS mount and /home as a pointer to it? > > > > -Tim > > > Looks like a labeling problem. > > The problem looks like you have a users home directories in a > separate location. And it is not labeled correctly. > > The symbolic link is labeled with the default label, and the login > programs are not able ro read this link. > > You probably need to label it something like user_home_dir_t. > > Homes is the link. > > Is /volume/homes a sumbolic link to /home? > > Are the users home dirs local or on a nother machine mounted via nfs? > /home was the NFS mount, /volumes/homes was the symbolic link to it. If I do the opposite (/volumes/homes as the NFS mount, /home as a link to /volumes/homes), I don't see any selinux avc errors. I'll leave it at that for now, but let me know if you'd like additional information or try out anything to further debug/test things. -tim -- CAPS LOCK IS THE CRUISE CONTROL OF AWESOMNESS -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
