Bug 119597 - cannot login -- cannot find home directory
Summary: cannot login -- cannot find home directory
Alias: None
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: All Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
: 119658 119764 (view as bug list)
Depends On:
Blocks: 122683
TreeView+ depends on / blocked
Reported: 2004-03-31 20:08 UTC by Gene Czarcinski
Modified: 2007-11-30 22:10 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-05-11 11:11:33 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Gene Czarcinski 2004-03-31 20:08:39 UTC
Description of problem:

After applying the latest updates for policy/policy-sources 1.9.1-4
and policycoreutils 1.9-16 from development, I could not login from
gdm (could from a VT).

Reinstalled 1.9.1-2 (policy and policy sources) and 1.9-16
(policycoreutils) and everything works again.

Comment 1 Bill Nottingham 2004-04-01 06:06:22 UTC
*** Bug 119658 has been marked as a duplicate of this bug. ***

Comment 2 Daniel Walsh 2004-04-01 18:15:20 UTC
Not sure what caused this, but todays policy seems to work

Comment 3 Daniel Walsh 2004-04-01 18:15:35 UTC
Not sure what caused this, but todays policy seems to work

Comment 4 Miloš Komarčević 2004-04-02 00:17:27 UTC
Doesn't work here (policy-1.9.2-1 and policycoreutils-1.9-19) - I
cannot login via gdm at all (neither as root nor normal user: home
directory doesn not exist) unless I turn enforcing off.
I relabeled the filesystem and rebooted after upgrading.

Comment 5 Gene Czarcinski 2004-04-02 06:30:17 UTC
I also updated.  I also have the problem back.

Comment 6 Gene Czarcinski 2004-04-02 09:18:29 UTC
Here are the messages I get when I try to login (from /var/log/messages):

Apr  2 04:18:03 hummer gdm(pam_unix)[12970]: session opened for user
czarcing by (uid=0)
Apr  2 04:18:03 hummer kernel: audit(1080897483.768:0): avc:  denied 
{ getattr } for  pid=12970 exe=/usr/bin/gdm-binary path=/home/czarcing
dev=hda10 ino=1209338 scontext=system_u:system_r:xdm_t
tcontext=czarcing:object_r:staff_home_dir_t tclass=dir
Apr  2 04:18:03 hummer gdm[12970]: gdm_slave_session_start: Home
directory for czarcing: '/home/czarcing' does not exist!
Apr  2 04:18:09 hummer gdm(pam_unix)[12970]: session closed for user

Comment 7 Daniel Walsh 2004-04-02 13:38:23 UTC

allow xdm_t $1_home_dir_t:dir { getattr };


under the xdm section,

then type 

make -C /etc/security/selinux/src/policy load

This is fixed in policy-1.9.2-5

Comment 8 Scott Sloan 2004-04-02 14:04:12 UTC
*** Bug 119764 has been marked as a duplicate of this bug. ***

Comment 9 Gene Czarcinski 2004-04-02 14:17:38 UTC
OK, I am still getting something wrong.  I added the "allow" line to
the endof the file and get:

/usr/bin/checkpolicy  -o /etc/security/selinux/policy.16
/usr/bin/checkpolicy:  loading policy configuration from
macros/base_user_macros.te:332:WARNING 'unrecognized character' at
token '$' on line 1676:
allow xdm_t $1_home_dir_t:dir { getattr };
macros/base_user_macros.te:332:ERROR 'syntax error' at token '1' on
line 1676:
allow xdm_t $1_home_dir_t:dir { getattr };
/usr/bin/checkpolicy:  error(s) encountered while parsing configuration

Comment 10 Daniel Walsh 2004-04-02 14:32:43 UTC
You put it in the wrong place. It needs to be with the other xdm stuff.  
Basically this is within a macro so if you look for xdm_t in the file
and put this line after it the $1 will get translated.


Comment 11 Gene Czarcinski 2004-04-02 14:51:02 UTC

I believe I really need to read those papers on SELinux policy so that
I can understand how to fix and/or understand policy related problems

Suggestion ... when suggesting adding something to a file, put your
suggestion into more or less "patch" format so that we (who do not
understand the fine points) can get it right the first time ... you
said add a line so I added it to the end of the file.

Comment 12 Daniel Walsh 2004-04-02 14:59:23 UTC
I will do that.  I am also considering putting updated policy for
people to try on my people page, so you don't have to wait twenty four


Comment 13 Phil Moors 2004-04-02 16:34:40 UTC
Install from CD on 3-31 was okay. I got this same problem after doing
a yum update on 4-1 (about 150 packages). I believe a policy update
was in the mix.

I could only get into the failsafe session as root/staff_r. Had to
newrole -r sysadm_r to run as real root. setfiles /home didn't fix the
problem. Neither did fixfiles relabel (and reboot).

Looking in /etc/security/selinux I found a policy.15 file and a
policy.16 file. The policy.16 file was date stamped as the original
install from CD. The policy.15 file was date stamped March 24, which I
assume was time of packaging. I moved the policy.16 file to /root
leaving only file_contexts and policy.15 in the selinux directory.

When I went to logout gdm got caught in a loop trying to restart over
and over. A three-finger salute took the system down via init6.

After the reboot, the system is AOK. Login with home directory and
enforcement is on.

No scientific analysis was done here. I just "tried something" and it

Hope this helps.

Comment 14 J. Scott Farrow 2004-04-03 04:36:05 UTC
I'm still having problems here.  I loaded the updated policy and
rebooted.  Things initially looked fine, but after logging in via gdm
as my normal user, I discovered I couldn't start many processes.  I
logged out, and X11 won't start any more.  I got stuck in the
start-fail-retry loop with X until it gave up.

I ran another fixfiles and rebooted, but no changes.  Still throwing
multiple denied messages like so:

Apr  2 21:29:52 pontifex kernel: audit(1080966592.925:0): avc:  denied
 { read append } for  pid=1668 exe=/usr/bin/gdm-binary
name=.Xauthority dev=hde4 ino=357693 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:user_home_xauth_t tclass=file


Apr  2 21:29:52 pontifex kernel: audit(1080966592.930:0): avc:  denied
 { write
} for  pid=1668 exe=/usr/bin/gdm-binary name=sfarrow dev=hde4
ino=32513 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
Apr  2 21:29:52 pontifex gdm[1668]: run_session_child: Could not open

Probably related, gnome failsafe login session fails to start a
terminal.  A full login works, but unable to start many common apps,
like Mozilla.

Policy and kernel version are:

- Scott

Comment 15 Leonard den Ottolander 2004-05-11 09:01:45 UTC
Is the issue in comment #14 resolved?

Note You need to log in before you can comment on or make changes to this bug.