Bug 744107

Summary: Login failure with nfs home directories
Product: [Fedora] Fedora Reporter: David Highley <david.m.highley>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: unspecified    
Version: 16CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.10.0-40.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-16 18:39:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description David Highley 2011-10-07 04:27:29 UTC 
Description of problem:
Logins fail with nfs home directories on fedora 16 beta.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.10.0-36.fc16.noarch

How reproducible:
Every time

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Did not see avc until we diabled autofs and hard mounted nfs home directories. Fix with the following policy:
module mysystem 1.0;

require {
	type nfs_t;
	type system_dbusd_t;
	class file read;
}

#============= system_dbusd_t ==============
allow system_dbusd_t nfs_t:file read;
Comment 1 Miroslav Grepl 2011-10-07 07:12:34 UTC 
Could you attach raw AVC message?

Also what does 

# id -Z

# ps -eZ |grep system_dbusd

after login?
Comment 2 David Highley 2011-10-07 23:02:27 UTC 
id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

ps -eZ | grep system_dbusd
system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 1032 ? 00:00:00 dbus-daemon

I hope this is the right AVC message:
time->Tue Oct  4 22:08:43 2011
type=SYSCALL msg=audit(1317791323.773:156): arch=c000003e syscall=47 success=yes exit=414 a0=39 a1=7fff12095900 a2=40000000 a3=0 items=0 ppid=1 pid=1013 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1317791323.773:156): avc:  denied  { read } for  pid=1013 comm="dbus-daemon" path="/home/dhighley/.local/share/icc/edid-af1112047384956b4aed12065b86eebe.icc" dev=0:26 ino=204046021 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file
Comment 3 David Highley 2011-10-10 04:02:43 UTC 
Retested with the beta fedora 16 release and selinux-policy-targeted-3.10.0-36.fc16.noarch. Still get failed login. The avc's are:


time->Sun Oct  9 20:58:04 2011
type=SYSCALL msg=audit(1318219084.591:297): arch=c000003e syscall=263 success=yes exit=0 a0=d a1=7fff5d0e6c13 a2=0 a3=0 items=0 ppid=1 pid=3350 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(1318219084.591:297): avc:  denied  { unlink } for  pid=3350 comm="systemd-logind" name="user" dev=tmpfs ino=37013 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=file
----
time->Sun Oct  9 20:59:14 2011
type=SYSCALL msg=audit(1318219154.602:353): arch=c000003e syscall=47 success=yes exit=414 a0=18 a1=7fff9c616890 a2=40000000 a3=0 items=0 ppid=1 pid=3412 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1318219154.602:353): avc:  denied  { read } for  pid=3412 comm="dbus-daemon" path="/home/dhighley/.local/share/icc/edid-af1112047384956b4aed12065b86eebe.icc" dev=0:2e ino=204046021 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file
----
time->Sun Oct  9 20:59:15 2011
type=SYSCALL msg=audit(1318219155.917:355): arch=c000003e syscall=47 success=yes exit=414 a0=22 a1=7fff9c616890 a2=40000000 a3=0 items=0 ppid=1 pid=3412 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1318219155.917:355): avc:  denied  { read } for  pid=3412 comm="dbus-daemon" path="/home/dhighley/.local/share/icc/edid-af1112047384956b4aed12065b86eebe.icc" dev=0:2e ino=204046021 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file
Comment 4 Miroslav Grepl 2011-10-10 13:14:42 UTC 
The first AVC is fixed i -38.fc16 release.

# yum update selinux-policy

The second AVC will fix in -39.fc16 release.
Comment 5 Fedora Update System 2011-10-14 16:19:11 UTC 
selinux-policy-3.10.0-40.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-40.fc16
Comment 6 Fedora Update System 2011-10-15 14:32:51 UTC 
Package selinux-policy-3.10.0-40.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-40.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-14363
then log in and leave karma (feedback).
Comment 7 David Highley 2011-10-16 02:20:01 UTC 
Confirmed that selinux-policy-3.10.0-40.fc16 fixes the issue reported.
Comment 8 Fedora Update System 2011-10-19 04:32:28 UTC 
selinux-policy-3.10.0-40.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.