Bug 119597 - cannot login -- cannot find home directory
cannot login -- cannot find home directory
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
: 119658 119764 (view as bug list)
Depends On:
Blocks: 122683
  Show dependency treegraph
 
Reported: 2004-03-31 15:08 EST by Gene Czarcinski
Modified: 2007-11-30 17:10 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-05-11 07:11:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gene Czarcinski 2004-03-31 15:08:39 EST
Description of problem:

After applying the latest updates for policy/policy-sources 1.9.1-4
and policycoreutils 1.9-16 from development, I could not login from
gdm (could from a VT).

Reinstalled 1.9.1-2 (policy and policy sources) and 1.9-16
(policycoreutils) and everything works again.
Comment 1 Bill Nottingham 2004-04-01 01:06:22 EST
*** Bug 119658 has been marked as a duplicate of this bug. ***
Comment 2 Daniel Walsh 2004-04-01 13:15:20 EST
Not sure what caused this, but todays policy seems to work
1.9.2-1
Comment 3 Daniel Walsh 2004-04-01 13:15:35 EST
Not sure what caused this, but todays policy seems to work
1.9.2-1
Comment 4 Miloš Komarčević 2004-04-01 19:17:27 EST
Doesn't work here (policy-1.9.2-1 and policycoreutils-1.9-19) - I
cannot login via gdm at all (neither as root nor normal user: home
directory doesn not exist) unless I turn enforcing off.
I relabeled the filesystem and rebooted after upgrading.
Comment 5 Gene Czarcinski 2004-04-02 01:30:17 EST
I also updated.  I also have the problem back.
Comment 6 Gene Czarcinski 2004-04-02 04:18:29 EST
Here are the messages I get when I try to login (from /var/log/messages):

Apr  2 04:18:03 hummer gdm(pam_unix)[12970]: session opened for user
czarcing by (uid=0)
Apr  2 04:18:03 hummer kernel: audit(1080897483.768:0): avc:  denied 
{ getattr } for  pid=12970 exe=/usr/bin/gdm-binary path=/home/czarcing
dev=hda10 ino=1209338 scontext=system_u:system_r:xdm_t
tcontext=czarcing:object_r:staff_home_dir_t tclass=dir
Apr  2 04:18:03 hummer gdm[12970]: gdm_slave_session_start: Home
directory for czarcing: '/home/czarcing' does not exist!
Apr  2 04:18:09 hummer gdm(pam_unix)[12970]: session closed for user
czarcing
Comment 7 Daniel Walsh 2004-04-02 08:38:23 EST
add

allow xdm_t $1_home_dir_t:dir { getattr };

to 

/etc/security/selinux/src/policy/macros/base_user_macros.te
under the xdm section,

then type 

make -C /etc/security/selinux/src/policy load

This is fixed in policy-1.9.2-5

Comment 8 Scott Sloan 2004-04-02 09:04:12 EST
*** Bug 119764 has been marked as a duplicate of this bug. ***
Comment 9 Gene Czarcinski 2004-04-02 09:17:38 EST
OK, I am still getting something wrong.  I added the "allow" line to
the endof the file and get:

/usr/bin/checkpolicy  -o /etc/security/selinux/policy.16
/etc/security/selinux/src/policy.conf
/usr/bin/checkpolicy:  loading policy configuration from
/etc/security/selinux/src/policy.conf
macros/base_user_macros.te:332:WARNING 'unrecognized character' at
token '$' on line 1676:
allow xdm_t $1_home_dir_t:dir { getattr };
  
macros/base_user_macros.te:332:ERROR 'syntax error' at token '1' on
line 1676:
allow xdm_t $1_home_dir_t:dir { getattr };
  
/usr/bin/checkpolicy:  error(s) encountered while parsing configuration
Comment 10 Daniel Walsh 2004-04-02 09:32:43 EST
You put it in the wrong place. It needs to be with the other xdm stuff.  
Basically this is within a macro so if you look for xdm_t in the file
and put this line after it the $1 will get translated.

Dan
Comment 11 Gene Czarcinski 2004-04-02 09:51:02 EST
Success!

I believe I really need to read those papers on SELinux policy so that
I can understand how to fix and/or understand policy related problems
better.

Suggestion ... when suggesting adding something to a file, put your
suggestion into more or less "patch" format so that we (who do not
understand the fine points) can get it right the first time ... you
said add a line so I added it to the end of the file.
Comment 12 Daniel Walsh 2004-04-02 09:59:23 EST
I will do that.  I am also considering putting updated policy for
people to try on my people page, so you don't have to wait twenty four
hours.

Dan
Comment 13 Phil Moors 2004-04-02 11:34:40 EST
Install from CD on 3-31 was okay. I got this same problem after doing
a yum update on 4-1 (about 150 packages). I believe a policy update
was in the mix.

I could only get into the failsafe session as root/staff_r. Had to
newrole -r sysadm_r to run as real root. setfiles /home didn't fix the
problem. Neither did fixfiles relabel (and reboot).

Looking in /etc/security/selinux I found a policy.15 file and a
policy.16 file. The policy.16 file was date stamped as the original
install from CD. The policy.15 file was date stamped March 24, which I
assume was time of packaging. I moved the policy.16 file to /root
leaving only file_contexts and policy.15 in the selinux directory.

When I went to logout gdm got caught in a loop trying to restart over
and over. A three-finger salute took the system down via init6.

After the reboot, the system is AOK. Login with home directory and
enforcement is on.

No scientific analysis was done here. I just "tried something" and it
worked.

Hope this helps.
Phil
Comment 14 J. Scott Farrow 2004-04-02 23:36:05 EST
I'm still having problems here.  I loaded the updated policy and
rebooted.  Things initially looked fine, but after logging in via gdm
as my normal user, I discovered I couldn't start many processes.  I
logged out, and X11 won't start any more.  I got stuck in the
start-fail-retry loop with X until it gave up.

I ran another fixfiles and rebooted, but no changes.  Still throwing
multiple denied messages like so:

Apr  2 21:29:52 pontifex kernel: audit(1080966592.925:0): avc:  denied
 { read append } for  pid=1668 exe=/usr/bin/gdm-binary
name=.Xauthority dev=hde4 ino=357693 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:user_home_xauth_t tclass=file

and

Apr  2 21:29:52 pontifex kernel: audit(1080966592.930:0): avc:  denied
 { write
} for  pid=1668 exe=/usr/bin/gdm-binary name=sfarrow dev=hde4
ino=32513 scontext=system_u:system_r:xdm_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
Apr  2 21:29:52 pontifex gdm[1668]: run_session_child: Could not open
~/.xsession-errors

Probably related, gnome failsafe login session fails to start a
terminal.  A full login works, but unable to start many common apps,
like Mozilla.

Policy and kernel version are:
policy-1.9.2-5
kernel-2.6.4-1.300

- Scott


Comment 15 Leonard den Ottolander 2004-05-11 05:01:45 EDT
Is the issue in comment #14 resolved?

Note You need to log in before you can comment on or make changes to this bug.