Bug 432054

Summary: pam_timestamp denial logging in to nfs home dir
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 8Keywords: Reopened
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 3.0.8-102.fc8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-16 03:04:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2008-02-08 16:19:56 UTC 
Description of problem:

We use nfs home dirs (and use_nfs_home_dirs is on).  On login we get:

Feb  8 08:36:37 ranier kernel: audit(1202484997.203:6): avc:  denied  { write }
for  pid=16475 comm="pam_timestamp_c" path="/home/furey/.xsession-errors"
dev=0:1d ino=7989204 scontext=unconfined_u:system_r:pam_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-3.0.8-81.fc8
Comment 1 Daniel Walsh 2008-02-11 22:23:21 UTC 
# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-84.fc8
Comment 2 Orion Poplawski 2008-02-19 19:10:59 UTC 
Indeed fixed for NFS home dirs.

Seeing this with home directories on a laptop and 3.0.8-85.fc8:

Feb 19 11:17:39 cynosure kernel: audit(1203445059.164:9): avc:  denied  { write
} for  pid=2862 comm="pam_timestamp_c"
path="/export/home/orion/.xsession-errors" dev=sda3 ino=6345010
scontext=unconfined_u:system_r:pam_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unconfined_home_t:s0 tclass=file

[root@cynosure ~]# ls -Zd /export/
drwxr-xr-x  root root system_u:object_r:usr_t:s0       /export/
[root@cynosure ~]# ls -Zd /export/home
drwxr-xr-x  root root system_u:object_r:home_root_t:s0 /export/home
[root@cynosure ~]# ls -Zd /export/home/orion/
drwxr-xr-x  orion cora unconfined_u:object_r:unconfined_home_dir_t:s0
/export/home/orion/
Comment 3 Daniel Walsh 2008-05-07 18:05:14 UTC 
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-102.fc8
Comment 4 Orion Poplawski 2008-06-03 17:58:01 UTC 
Appears to be fixed.  Thanks!
Comment 5 Orion Poplawski 2008-06-20 20:01:36 UTC 
Seems to be back, two flavors:

selinux-policy-3.0.8-109.fc8

Jun 20 10:03:51 laplata kernel: type=1400 audit(1213977831.562:3): avc:  denied
 { write } for  pid=2933 comm="pam_timestamp_c"
path="/export/home/alexand/.xsession-errors" dev=sda6 ino=33588206
scontext=unconfined_u:system_r:pam_t:s0
tcontext=unconfined_u:object_r:unconfined_home_t:s0 tclass=file

Jun 18 10:43:52 makani kernel: type=1400 audit(1213807432.970:4): avc:  denied 
{ ioctl } for  pid=3468 comm="pam_timestamp_c"
path="/home/orion/.xsession-errors" dev=0:1b ino=12310937
scontext=unconfined_u:system_r:pam_t:s0 tcontext=system_u:object_r:nfs_t:s0
tclass=file
Comment 6 Daniel Walsh 2008-06-22 10:48:20 UTC 
This looks like it is fixed properly in F9.

I will add a fix for f8.

Fixed in selinux-policy-3.0.8-110.fc8
Comment 7 Orion Poplawski 2008-08-18 17:09:37 UTC 
Still seeing:

Aug 11 13:42:19 cynosure kernel: type=1400 audit(1218483739.464:4): avc:  denied  { write } for  pid=2963 comm="pam_timestamp_c" path="/export/home/orion/.xsession-errors" dev=sda3 ino=1768490 scontext=unconfined_u:system_r:pam_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_home_t:s0 tclass=file

on my laptop local home directories with selinux-policy-3.0.8-113.fc8
Comment 8 Daniel Walsh 2008-08-29 16:43:34 UTC 
Fixed in selinux-policy-3.0.8-115.fc8
Comment 9 Orion Poplawski 2008-11-16 03:04:32 UTC 
Confirmed