Bug 1000698 - SELinux is preventing /usr/bin/login from 'search' accesses on the directory mate.
SELinux is preventing /usr/bin/login from 'search' accesses on the directory ...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
i686 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-08-24 07:17 EDT by Máté Eckl
Modified: 2013-09-01 14:43 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-08-28 13:50:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Máté Eckl 2013-08-24 07:17:13 EDT
Description of problem:
Before installing Fedora I had openSUSE 12.3 installed with a separate home partition. During the install process I formatted the partition containing the openSUSE, set the former home partition to fedora and put a tick to the box that asks me whether I would like to encrypt my partition (it was not encrypted before, I did not format it, and I am not sure if it was succesfull because after leaving that "tab" the tick was always disappearing).
After the succesfull installation I could hardly log in because the login manager did not seem to have permission to search my home folder. I used SElinux to solve this problem and I can use it properly by now but SElinux still claims that there is a problem. However, it still takes quiet a long time (more than 30 seconds) to log in with LXDE. I do not think this is hardware problem, because for openSUSE I used KDE4 and that worked well.
Now if I run "ls -lZ /home" it returns this:
drwxr-xr-x. polkitd users system_u:object_r:file_t:s0      linux~
drwx------. root    root  system_u:object_r:lost_found_t:s0 lost+found
drwxr-xr-x. mate    mate  system_u:object_r:user_home_dir_t:s0 mate
SELinux is preventing /usr/bin/login from 'search' accesses on the directory mate.

*****  Plugin file (36.8 confidence) suggests  *******************************

If úgy gondolja hogy ezt az okozta hogy rosszul cimkézett a gépe.
Then teljesen újra kell cimkéznie
touch /.autorelabel; reboot

*****  Plugin file (36.8 confidence) suggests  *******************************

If úgy gondolja hogy ezt az okozta hogy rosszul cimkézett a gépe.
Then teljesen újra kell cimkéznie
touch /.autorelabel; reboot

*****  Plugin catchall_labels (23.2 confidence) suggests  ********************

If you want to allow login to have search access on the mate directory
Then meg kell hogy változtassa a cimkét itt: mate
# semanage fcontext -a -t FILE_TYPE 'mate'
ahol FILE_TYPE egy a következőkből: NetworkManager_etc_rw_t, NetworkManager_etc_t, abrt_etc_t, abrt_var_run_t, admin_home_t, aiccu_etc_t, alsa_etc_rw_t, alsa_home_t, antivirus_conf_t, asterisk_etc_t, audio_home_t, auth_cache_t, auth_home_t, autofs_t, avahi_var_run_t, bin_t, bitlbee_conf_t, bluetooth_conf_t, boot_t, bootloader_etc_t, cache_home_t, cert_t, cgconfig_etc_t, cgroup_t, cgrules_etc_t, chrome_sandbox_home_t, cluster_conf_t, cobbler_etc_t, config_home_t, couchdb_conf_t, courier_etc_t, cpu_online_t, cpucontrol_conf_t, crack_db_t, cupsd_etc_t, cupsd_rw_etc_t, data_home_t, dbus_home_t, dbusd_etc_t, ddclient_etc_t, default_context_t, default_t, device_t, devpts_t, dhcp_etc_t, dictd_etc_t, dnsmasq_etc_t, dovecot_etc_t, ecryptfs_t, etc_mail_t, etc_runtime_t, etc_t, exports_t, faillog_t, fetchmail_etc_t, fetchmail_home_t, file_context_t, fingerd_etc_t, firewalld_etc_rw_t, firstboot_etc_t, ftpd_etc_t, gconf_etc_t, gconf_home_t, getty_etc_t, git_user_content_t, gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gpm_conf_t, gstreamer_home_t, hddtemp_etc_t, home_bin_t, home_cert_t, home_root_t, hostname_etc_t, httpd_config_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, icc_data_home_t, iceauth_home_t, init_var_run_t, innd_etc_t, irc_conf_t, irc_home_t, irc_tmp_t, irssi_etc_t, irssi_home_t, kdump_etc_t, kismet_home_t, krb5_conf_t, krb5_home_t, krb5_host_rcache_t, krb5kdc_conf_t, l2tp_conf_t, lib_t, likewise_etc_t, likewise_var_lib_t, lircd_etc_t, local_login_home_t, locale_t, lvm_etc_t, machineid_t, mail_home_rw_t, mail_home_t, mail_spool_t, man_cache_t, man_t, mandb_cache_t, mandb_home_t, mcelog_etc_t, mnt_t, mock_etc_t, modules_conf_t, mozilla_conf_t, mozilla_home_t, mpd_etc_t, mpd_user_data_t, mplayer_etc_t, mplayer_home_t, mrtg_etc_t, mscan_etc_t, munin_etc_t, mysqld_etc_t, mysqld_home_t, nagios_etc_t, named_conf_t, net_conf_t, nrpe_etc_t, nscd_var_run_t, nslcd_conf_t, nslcd_var_run_t, ntop_etc_t, ntp_conf_t, nut_conf_t, openct_var_run_t, openshift_var_lib_t, openvpn_etc_rw_t, openvpn_etc_t, openvswitch_rw_t, pads_config_t, pam_var_console_t, pam_var_run_t, pcscd_var_run_t, pegasus_conf_t, pingd_etc_t, piranha_etc_rw_t, piranha_web_conf_t, polipo_cache_home_t, polipo_config_home_t, polipo_etc_t, portreserve_etc_t, postfix_etc_t, postgresql_etc_t, postgrey_etc_t, pppd_etc_t, prelude_correlator_config_t, printconf_t, proc_t, procmail_home_t, psad_etc_t, ptal_etc_t, pulseaudio_home_t, puppet_etc_t, qmail_etc_t, radiusd_etc_t, radvd_etc_t, readable_t, rlogind_home_t, root_t, rpm_log_t, rpm_script_tmp_t, rssh_ro_t, rssh_rw_t, rsync_etc_t, samba_etc_t, samba_var_t, screen_home_t, security_t, selinux_config_t, selinux_login_config_t, setrans_var_run_t, shell_exec_t, shorewall_etc_t, slapd_etc_t, smbd_var_run_t, snort_etc_t, sosreport_tmp_t, soundd_etc_t, spamc_home_t, spamd_etc_t, squid_conf_t, src_t, ssh_home_t, sssd_conf_t, sssd_public_t, sssd_var_lib_t, stunnel_etc_t, svc_conf_t, svirt_home_t, sysctl_t, sysfs_t, syslog_conf_t, syslogd_var_run_t, system_conf_t, system_dbusd_var_lib_t, system_dbusd_var_run_t, systemd_logind_sessions_t, systemd_logind_var_run_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_sunshine_home_t, textrel_shlib_t, tftpd_etc_t, thumb_home_t, tmp_t, tmpfs_t, tor_etc_t, tuned_etc_t, tuned_rw_etc_t, tvtime_home_t, udev_etc_t, ulogd_etc_t, uml_ro_t, uml_rw_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_dir_t, user_home_t, user_tmp_t, user_tmpfs_t, userhelper_conf_t, usr_t, var_auth_t, var_lib_t, var_lock_t, var_log_t, var_run_t, var_spool_t, var_t, varnishd_etc_t, virt_content_t, virt_etc_t, virt_home_t, vmware_conf_t, vmware_file_t, vmware_sys_conf_t, webalizer_etc_t, winbind_var_run_t, wine_home_t, wireshark_home_t, xauth_home_t, xdm_etc_t, xdm_home_t, xdm_rw_etc_t, xdm_tmp_t, xserver_etc_t, ypserv_conf_t, zarafa_etc_t, zebra_conf_t. 
Ez után adja ki ezt: 
restorecon -v 'mate'

*****  Plugin catchall (5.04 confidence) suggests  ***************************

If ha úgy érzi, hogy login számára engedélyezni kell search hozzáférést itt: mate directory alapértelmezésben.
Then ezt jelentenie kell, mint hibát.
Hogy engedélyezze ezt a hozzáférést előállíthat egy helyi szabálymodult.
engedélyezheti ezt a hozzáférést most ezzel:
# grep login /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:local_login_t:s0-s0:c0.c1023
Target Context                system_u:object_r:file_t:s0
Target Objects                mate [ dir ]
Source                        login
Source Path                   /usr/bin/login
Port                          <Ismeretlen>
Host                          (removed)
Source RPM Packages           util-linux-2.23.2-2.fc19.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-71.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.10.9-200.fc19.i686 #1 SMP Wed
                              Aug 21 20:48:34 UTC 2013 i686 i686
Alert Count                   8
First Seen                    2013-08-24 10:10:01 CEST
Last Seen                     2013-08-24 11:28:48 CEST
Local ID                      d090da4c-acc9-4564-a4fd-4fb292e0ec6d

Raw Audit Messages
type=AVC msg=audit(1377336528.207:435): avc:  denied  { search } for  pid=899 comm="login" name="mate" dev="sda5" ino=4947969 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir

type=SYSCALL msg=audit(1377336528.207:435): arch=i386 syscall=chdir success=no exit=EACCES a0=8f570ab a1=2 a2=bfc90b00 a3=bfc90b8c items=0 ppid=828 pid=899 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=2 tty=tty2 comm=login exe=/usr/bin/login subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)

Hash: login,local_login_t,file_t,dir,search

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.9-200.fc19.i686
type:           libreport

Potential duplicate: bug 700794
Comment 1 Lukas Vrabec 2013-08-27 06:50:23 EDT
hi Mate, 

try this: "touch /.autorelabel; reboot" 
but remember it may take a while
Comment 2 Daniel Walsh 2013-08-28 13:50:55 EDT
The alert told you what to do.
Comment 3 Máté Eckl 2013-09-01 14:43:24 EDT
Autorelabel worked. I tried this before chosing an other way but then it didn't work. Maybe the order was wrong.
Thank you.

Note You need to log in before you can comment on or make changes to this bug.