Bug 119597
Summary: | cannot login -- cannot find home directory | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Gene Czarcinski <gczarcinski> |
Component: | policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | devscott, leonard-rh-bugzilla, pgraner, tjsmith |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2004-05-11 11:11:33 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 122683 |
Description
Gene Czarcinski
2004-03-31 20:08:39 UTC
*** Bug 119658 has been marked as a duplicate of this bug. *** Not sure what caused this, but todays policy seems to work 1.9.2-1 Not sure what caused this, but todays policy seems to work 1.9.2-1 Doesn't work here (policy-1.9.2-1 and policycoreutils-1.9-19) - I cannot login via gdm at all (neither as root nor normal user: home directory doesn not exist) unless I turn enforcing off. I relabeled the filesystem and rebooted after upgrading. I also updated. I also have the problem back. Here are the messages I get when I try to login (from /var/log/messages): Apr 2 04:18:03 hummer gdm(pam_unix)[12970]: session opened for user czarcing by (uid=0) Apr 2 04:18:03 hummer kernel: audit(1080897483.768:0): avc: denied { getattr } for pid=12970 exe=/usr/bin/gdm-binary path=/home/czarcing dev=hda10 ino=1209338 scontext=system_u:system_r:xdm_t tcontext=czarcing:object_r:staff_home_dir_t tclass=dir Apr 2 04:18:03 hummer gdm[12970]: gdm_slave_session_start: Home directory for czarcing: '/home/czarcing' does not exist! Apr 2 04:18:09 hummer gdm(pam_unix)[12970]: session closed for user czarcing add allow xdm_t $1_home_dir_t:dir { getattr }; to /etc/security/selinux/src/policy/macros/base_user_macros.te under the xdm section, then type make -C /etc/security/selinux/src/policy load This is fixed in policy-1.9.2-5 *** Bug 119764 has been marked as a duplicate of this bug. *** OK, I am still getting something wrong. I added the "allow" line to the endof the file and get: /usr/bin/checkpolicy -o /etc/security/selinux/policy.16 /etc/security/selinux/src/policy.conf /usr/bin/checkpolicy: loading policy configuration from /etc/security/selinux/src/policy.conf macros/base_user_macros.te:332:WARNING 'unrecognized character' at token '$' on line 1676: allow xdm_t $1_home_dir_t:dir { getattr }; macros/base_user_macros.te:332:ERROR 'syntax error' at token '1' on line 1676: allow xdm_t $1_home_dir_t:dir { getattr }; /usr/bin/checkpolicy: error(s) encountered while parsing configuration You put it in the wrong place. It needs to be with the other xdm stuff. Basically this is within a macro so if you look for xdm_t in the file and put this line after it the $1 will get translated. Dan Success! I believe I really need to read those papers on SELinux policy so that I can understand how to fix and/or understand policy related problems better. Suggestion ... when suggesting adding something to a file, put your suggestion into more or less "patch" format so that we (who do not understand the fine points) can get it right the first time ... you said add a line so I added it to the end of the file. I will do that. I am also considering putting updated policy for people to try on my people page, so you don't have to wait twenty four hours. Dan Install from CD on 3-31 was okay. I got this same problem after doing a yum update on 4-1 (about 150 packages). I believe a policy update was in the mix. I could only get into the failsafe session as root/staff_r. Had to newrole -r sysadm_r to run as real root. setfiles /home didn't fix the problem. Neither did fixfiles relabel (and reboot). Looking in /etc/security/selinux I found a policy.15 file and a policy.16 file. The policy.16 file was date stamped as the original install from CD. The policy.15 file was date stamped March 24, which I assume was time of packaging. I moved the policy.16 file to /root leaving only file_contexts and policy.15 in the selinux directory. When I went to logout gdm got caught in a loop trying to restart over and over. A three-finger salute took the system down via init6. After the reboot, the system is AOK. Login with home directory and enforcement is on. No scientific analysis was done here. I just "tried something" and it worked. Hope this helps. Phil I'm still having problems here. I loaded the updated policy and rebooted. Things initially looked fine, but after logging in via gdm as my normal user, I discovered I couldn't start many processes. I logged out, and X11 won't start any more. I got stuck in the start-fail-retry loop with X until it gave up. I ran another fixfiles and rebooted, but no changes. Still throwing multiple denied messages like so: Apr 2 21:29:52 pontifex kernel: audit(1080966592.925:0): avc: denied { read append } for pid=1668 exe=/usr/bin/gdm-binary name=.Xauthority dev=hde4 ino=357693 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:user_home_xauth_t tclass=file and Apr 2 21:29:52 pontifex kernel: audit(1080966592.930:0): avc: denied { write } for pid=1668 exe=/usr/bin/gdm-binary name=sfarrow dev=hde4 ino=32513 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:user_home_dir_t tclass=dir Apr 2 21:29:52 pontifex gdm[1668]: run_session_child: Could not open ~/.xsession-errors Probably related, gnome failsafe login session fails to start a terminal. A full login works, but unable to start many common apps, like Mozilla. Policy and kernel version are: policy-1.9.2-5 kernel-2.6.4-1.300 - Scott Is the issue in comment #14 resolved? |