Description of problem: A login from gdm results in an error message stating that my home directory doesn't exist. My home directory is on a kerberized NFSv4 mount. I see the following in /var/log/messages: Jul 3 10:49:48 pear kernel: audit(1183474187.919:8): avc: denied { getattr } for pid=2984 comm="gdm-binary" name="" dev=0:15 ino=2 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir Jul 3 10:49:48 pear gdmgreeter[3029]: GLib-GObject-WARNING: invalid cast from `GnomeCanvas' to `GtkWindow' Jul 3 10:49:56 pear kernel: audit(1183474196.419:9): avc: denied { lock } for pid=2261 comm="rpc.gssd" name="krb5cc_2815" dev=dm-0 ino=16040643 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:unconfined_tmp_t:s0 tclass=file Jul 3 10:49:56 pear rpc.gssd[2261]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - Resource temporarily unavailable Jul 3 10:49:56 pear rpc.gssd[2261]: WARNING: Failed to create krb5 context for user with uid 2815 for server screamer.citi.umich.edu Jul 3 10:49:56 pear gdm-binary[2984]: WARNING: gdm_slave_session_start: Home directory for bfields: '/home/bfields' does not exist! After "setenforce permissive", the login succeeds. Version-Release number of selected component (if applicable): Latest rawhide as of this (July 3) morning: $ rpm -qa|grep selinux-policy selinux-policy-targeted-3.0.1-6.fc8 selinux-policy-3.0.1-6.fc8
setsebool -P use_nfs_home_dirs=1 Should fix this.
I logged out, ran "setenforce enforcing", verified that I couldn't log back in, then ran the suggested "setsebool -P use_nfs_home_dirs=1" after which I can indeed log in. However, I soon lose access to the home directory, and have to set the mode back to permissive again to regain access. The logs are full of messages like: Jul 3 13:51:27 pear kernel: audit(1183485087.360:479): avc: denied { lock } for pid=2261 comm="rpc.gssd" name="krb5cc_2815" dev=dm-0 ino=16040643 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:unconfined_tmp_t:s0 tclass=file Jul 3 13:51:27 pear rpc.gssd[2261]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - Resource temporarily unavailable Jul 3 13:51:27 pear rpc.gssd[2261]: WARNING: Failed to create krb5 context for user with uid 2815 for server screamer.citi.umich.edu
Should be fixed in selinux-policy-3.0.2-3.fc8
Thanks. I can now log in with selinux turned on, *if* I've previously kinit'd to get kerberos credentials. If not, the login fails. /etc/pam.d/system-auth includes the right "auth suffficient pam-krb5.so use_first_pass" line, so I'm not sure quite what the problem is. In any case, the selinux problem is now fixed, and I see the same behavior with it turned on or off.