| Summary: | SELinux is preventing /bin/login from 'search' accesses on the directory /home/jayson. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jayson Reis <jaysonsantos2003> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:b23b9389f7fd345f30a7e9775c2513bc8426a048eb8578d8076fb26a8f369a36 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-04-29 13:53:23 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
I don't know if this is related, however I'm using ecryptfs and it is not being mounted at login time. Did you try to do what the Plugin suggests. Also you can look at http://danwalsh.livejournal.com/42768.html I did however i tooth that was a bug. Thank you for the link |
SELinux is preventing /bin/login from 'search' accesses on the directory /home/jayson. ***** Plugin restorecon (82.4 confidence) suggests ************************* If you want to fix the label. /home/jayson default label should be user_home_dir_t. Then you can run restorecon. Do # /sbin/restorecon -v /home/jayson ***** Plugin file (7.05 confidence) suggests ******************************* If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot ***** Plugin file (7.05 confidence) suggests ******************************* If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot ***** Plugin catchall_labels (4.59 confidence) suggests ******************** If you want to allow login to have search access on the jayson directory Then you need to change the label on /home/jayson Do # semanage fcontext -a -t FILE_TYPE '/home/jayson' where FILE_TYPE is one of the following: likewise_var_lib_t, textrel_shlib_t, crack_db_t, ssh_home_t, user_tmp_t, krb5_conf_t, readable_t, auth_cache_t, rpm_script_tmp_t, security_t, security_t, var_spool_t, default_t, sosreport_tmp_t, proc_afs_t, rpm_tmp_t, dbusd_etc_t, var_lib_t, var_run_t, var_run_t, user_home_t, xdm_tmp_t, user_home_type, configfile, domain, faillog_t, rpm_log_t, var_log_t, var_log_t, local_login_t, samba_var_t, avahi_var_run_t, pam_var_run_t, net_conf_t, sysctl_kernel_t, openct_var_run_t, home_root_t, abrt_var_run_t, init_var_run_t, nscd_var_run_t, nslcd_var_run_t, pcscd_var_run_t, sssd_var_lib_t, sysctl_crypto_t, pam_var_console_t, setrans_var_run_t, admin_home_t, system_dbusd_var_lib_t, system_dbusd_var_run_t, local_login_tmp_t, cgroup_t, var_lock_t, selinux_config_t, sysctl_t, sysctl_t, abrt_t, bin_t, bin_t, cert_t, lib_t, mnt_t, mnt_t, root_t, tmp_t, tmp_t, user_home_dir_t, usr_t, usr_t, var_t, var_t, default_context_t, winbind_var_run_t, mail_spool_t, autofs_t, device_t, device_t, sssd_public_t, locale_t, var_auth_t, etc_t, etc_t, proc_t, proc_t, sysfs_t, tmpfs_t, bin_t, security_t, var_lib_t, var_run_t, var_run_t, var_run_t, net_conf_t, file_context_t, dirsrv_var_run_t, nscd_var_run_t, pcscd_var_run_t, slapd_var_run_t, selinux_config_t, cert_t, tmp_t, var_t, var_t, var_t, default_context_t, device_t, device_t, etc_t, etc_t. Then execute: restorecon -v '/home/jayson' ***** Plugin catchall (1.31 confidence) suggests *************************** If you believe that login should be allowed search access on the jayson directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep login /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:local_login_t:s0-s0:c0.c1023 Target Context system_u:object_r:file_t:s0 Target Objects /home/jayson [ dir ] Source login Source Path /bin/login Port <Unknown> Host (removed) Source RPM Packages util-linux-2.19-4.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-15.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.3-18.fc15.x86_64 #1 SMP Fri Apr 22 13:24:23 UTC 2011 x86_64 x86_64 Alert Count 7 First Seen Fri 29 Apr 2011 09:13:38 AM BRT Last Seen Fri 29 Apr 2011 09:13:39 AM BRT Local ID bc1fafc1-eff0-4b2d-83bc-309af2178abc Raw Audit Messages type=AVC msg=audit(1304079219.465:75): avc: denied { search } for pid=2125 comm="login" name="jayson" dev=sda6 ino=13893633 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir type=SYSCALL msg=audit(1304079219.465:75): arch=x86_64 syscall=chdir success=no exit=EACCES a0=16254e0 a1=6058e0 a2=0 a3=0 items=0 ppid=1587 pid=2125 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=tty2 ses=2 comm=login exe=/bin/login subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) Hash: login,local_login_t,file_t,dir,search audit2allow #============= local_login_t ============== allow local_login_t file_t:dir search; audit2allow -R #============= local_login_t ============== allow local_login_t file_t:dir search;