Bug 119597
| Summary: | cannot login -- cannot find home directory | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Gene Czarcinski <gczarcinski> |
| Component: | policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED RAWHIDE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | devscott, leonard-rh-bugzilla, pgraner, tjsmith |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2004-05-11 11:11:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 122683 | ||
|
Description
Gene Czarcinski
2004-03-31 20:08:39 UTC
*** Bug 119658 has been marked as a duplicate of this bug. *** Not sure what caused this, but todays policy seems to work 1.9.2-1 Not sure what caused this, but todays policy seems to work 1.9.2-1 Doesn't work here (policy-1.9.2-1 and policycoreutils-1.9-19) - I cannot login via gdm at all (neither as root nor normal user: home directory doesn not exist) unless I turn enforcing off. I relabeled the filesystem and rebooted after upgrading. I also updated. I also have the problem back. Here are the messages I get when I try to login (from /var/log/messages):
Apr 2 04:18:03 hummer gdm(pam_unix)[12970]: session opened for user
czarcing by (uid=0)
Apr 2 04:18:03 hummer kernel: audit(1080897483.768:0): avc: denied
{ getattr } for pid=12970 exe=/usr/bin/gdm-binary path=/home/czarcing
dev=hda10 ino=1209338 scontext=system_u:system_r:xdm_t
tcontext=czarcing:object_r:staff_home_dir_t tclass=dir
Apr 2 04:18:03 hummer gdm[12970]: gdm_slave_session_start: Home
directory for czarcing: '/home/czarcing' does not exist!
Apr 2 04:18:09 hummer gdm(pam_unix)[12970]: session closed for user
czarcing
add
allow xdm_t $1_home_dir_t:dir { getattr };
to
/etc/security/selinux/src/policy/macros/base_user_macros.te
under the xdm section,
then type
make -C /etc/security/selinux/src/policy load
This is fixed in policy-1.9.2-5
*** Bug 119764 has been marked as a duplicate of this bug. *** OK, I am still getting something wrong. I added the "allow" line to
the endof the file and get:
/usr/bin/checkpolicy -o /etc/security/selinux/policy.16
/etc/security/selinux/src/policy.conf
/usr/bin/checkpolicy: loading policy configuration from
/etc/security/selinux/src/policy.conf
macros/base_user_macros.te:332:WARNING 'unrecognized character' at
token '$' on line 1676:
allow xdm_t $1_home_dir_t:dir { getattr };
macros/base_user_macros.te:332:ERROR 'syntax error' at token '1' on
line 1676:
allow xdm_t $1_home_dir_t:dir { getattr };
/usr/bin/checkpolicy: error(s) encountered while parsing configuration
You put it in the wrong place. It needs to be with the other xdm stuff. Basically this is within a macro so if you look for xdm_t in the file and put this line after it the $1 will get translated. Dan Success! I believe I really need to read those papers on SELinux policy so that I can understand how to fix and/or understand policy related problems better. Suggestion ... when suggesting adding something to a file, put your suggestion into more or less "patch" format so that we (who do not understand the fine points) can get it right the first time ... you said add a line so I added it to the end of the file. I will do that. I am also considering putting updated policy for people to try on my people page, so you don't have to wait twenty four hours. Dan Install from CD on 3-31 was okay. I got this same problem after doing a yum update on 4-1 (about 150 packages). I believe a policy update was in the mix. I could only get into the failsafe session as root/staff_r. Had to newrole -r sysadm_r to run as real root. setfiles /home didn't fix the problem. Neither did fixfiles relabel (and reboot). Looking in /etc/security/selinux I found a policy.15 file and a policy.16 file. The policy.16 file was date stamped as the original install from CD. The policy.15 file was date stamped March 24, which I assume was time of packaging. I moved the policy.16 file to /root leaving only file_contexts and policy.15 in the selinux directory. When I went to logout gdm got caught in a loop trying to restart over and over. A three-finger salute took the system down via init6. After the reboot, the system is AOK. Login with home directory and enforcement is on. No scientific analysis was done here. I just "tried something" and it worked. Hope this helps. Phil I'm still having problems here. I loaded the updated policy and
rebooted. Things initially looked fine, but after logging in via gdm
as my normal user, I discovered I couldn't start many processes. I
logged out, and X11 won't start any more. I got stuck in the
start-fail-retry loop with X until it gave up.
I ran another fixfiles and rebooted, but no changes. Still throwing
multiple denied messages like so:
Apr 2 21:29:52 pontifex kernel: audit(1080966592.925:0): avc: denied
{ read append } for pid=1668 exe=/usr/bin/gdm-binary
name=.Xauthority dev=hde4 ino=357693 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:user_home_xauth_t tclass=file
and
Apr 2 21:29:52 pontifex kernel: audit(1080966592.930:0): avc: denied
{ write
} for pid=1668 exe=/usr/bin/gdm-binary name=sfarrow dev=hde4
ino=32513 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
Apr 2 21:29:52 pontifex gdm[1668]: run_session_child: Could not open
~/.xsession-errors
Probably related, gnome failsafe login session fails to start a
terminal. A full login works, but unable to start many common apps,
like Mozilla.
Policy and kernel version are:
policy-1.9.2-5
kernel-2.6.4-1.300
- Scott
Is the issue in comment #14 resolved? |