Bug 698774

Summary: Can't login with nfs mounted /home when selinux enabled
Product: [Fedora] Fedora Reporter: Jussi Eloranta <eloranta>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-07 14:09:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jussi Eloranta 2011-04-21 18:04:06 UTC 
Description of problem:

My /home directory is nfs mounted (V3) from a linux server. Everything worked fine on F14 but after a fresh F15 beta install, I got an error message when logging in that it cannot change to my home directory (permission denied) and I was put in / directory. Curiously enough just by entering cd and return, I was in my home directory and I could access all the files normally. After disabling selinux, this problem went away, so there is some issue with nfs mounted home & selinux.

Version-Release number of selected component (if applicable):

Conflict between nfs & selinux.

How reproducible:

Enable selinux and have your /home directory come from an nfs server (V3).
Comment 1 Daniel Walsh 2011-04-21 22:22:45 UTC 
What avc's were you seeing and did you have the 
use_nfs_home_dirs boolean turned on?

setsebool -P use_nfs_home_dirs 1
Comment 2 Jussi Eloranta 2011-04-21 22:48:58 UTC 
No, I did not. I would suggest turning it on by default. When things don't work, people will just stop using selinux (well, those who can figure out that this is the problem...)
Comment 3 Daniel Walsh 2011-04-22 11:45:48 UTC 
The problem is this allows a great deal of confined domains to start reading/writing any nfs mounted share.  So it is much less secure then for the people who use NFS  but not for home dirs.

Were you running setroubleshoot?  It should have put a message in /var/log/messages that told you what was going on.
Comment 4 Jussi Eloranta 2011-04-22 15:43:33 UTC 
Yes, there is a message in /var/log/messages:

Apr 21 09:31:44 jme setroubleshoot: SELinux is preventing /bin/login from searc\
h access on the directory . For complete SELinux messages. run sealert -l a3be5\
8b6-21f9-4164-9135-2c99bffc4d83

It is not at all obvious what it is trying to say. Could one try to probe for the NFS /home situation somehow and setting the use_nfs_home_dirs based on that? Ultimately it would be great to be able to set up NFS shares during install and then the installer could make the appropriate settings for this automatically.

Anyhow, this sort of thing is a deal breaker at least for me (-> selinux disabled permanently).
Comment 5 Daniel Walsh 2011-04-25 13:39:11 UTC 
I am asking what this message says.

sealert -l a3be58b6-21f9-4164-9135-2c99bffc4d83