Bug 246633 - logins fail on NFS/krb5 home directory
logins fail on NFS/krb5 home directory
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-03 11:07 EDT by J. Bruce Fields
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-07-11 15:22:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description J. Bruce Fields 2007-07-03 11:07:40 EDT
Description of problem:

A login from gdm results in an error message stating that my home directory
doesn't exist.  My home directory is on a kerberized NFSv4 mount.  I see the
following in /var/log/messages:

Jul  3 10:49:48 pear kernel: audit(1183474187.919:8): avc:  denied  { getattr }
for  pid=2984 comm="gdm-binary" name="" dev=0:15 ino=2
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:nfs_t:s0 tclass=dir
Jul  3 10:49:48 pear gdmgreeter[3029]: GLib-GObject-WARNING: invalid cast from
`GnomeCanvas' to `GtkWindow'
Jul  3 10:49:56 pear kernel: audit(1183474196.419:9): avc:  denied  { lock } for
 pid=2261 comm="rpc.gssd" name="krb5cc_2815" dev=dm-0 ino=16040643
scontext=system_u:system_r:gssd_t:s0
tcontext=system_u:object_r:unconfined_tmp_t:s0 tclass=file
Jul  3 10:49:56 pear rpc.gssd[2261]: ERROR: GSS-API: error in
gss_acquire_cred(): Unspecified GSS failure.  Minor code may provide more
information - Resource temporarily unavailable 
Jul  3 10:49:56 pear rpc.gssd[2261]: WARNING: Failed to create krb5 context for
user with uid 2815 for server screamer.citi.umich.edu 
Jul  3 10:49:56 pear gdm-binary[2984]: WARNING: gdm_slave_session_start: Home
directory for bfields: '/home/bfields' does not exist!

After "setenforce permissive", the login succeeds.

Version-Release number of selected component (if applicable):

Latest rawhide as of this (July 3) morning:
$ rpm -qa|grep selinux-policy
selinux-policy-targeted-3.0.1-6.fc8
selinux-policy-3.0.1-6.fc8
Comment 1 Daniel Walsh 2007-07-03 13:41:28 EDT
setsebool -P use_nfs_home_dirs=1 

Should fix this.
Comment 2 J. Bruce Fields 2007-07-03 13:57:03 EDT
I logged out, ran "setenforce enforcing", verified that I couldn't log back in,
then ran the suggested "setsebool -P use_nfs_home_dirs=1" after which I can
indeed log in.  However, I soon lose access to the home directory, and have to
set the mode back to permissive again to regain access.  The logs are full of
messages like:

Jul  3 13:51:27 pear kernel: audit(1183485087.360:479): avc:  denied  { lock }
for  pid=2261 comm="rpc.gssd" name="krb5cc_2815" dev=dm-0 ino=16040643
scontext=system_u:system_r:gssd_t:s0
tcontext=system_u:object_r:unconfined_tmp_t:s0 tclass=file
Jul  3 13:51:27 pear rpc.gssd[2261]: ERROR: GSS-API: error in
gss_acquire_cred(): Unspecified GSS failure.  Minor code may provide more
information - Resource temporarily unavailable 
Jul  3 13:51:27 pear rpc.gssd[2261]: WARNING: Failed to create krb5 context for
user with uid 2815 for server screamer.citi.umich.edu 
Comment 4 Daniel Walsh 2007-07-11 13:20:05 EDT
Should be fixed in selinux-policy-3.0.2-3.fc8
Comment 5 J. Bruce Fields 2007-07-11 14:27:09 EDT
Thanks.  I can now log in with selinux turned on, *if* I've previously kinit'd
to get kerberos credentials.  If not, the login fails.  /etc/pam.d/system-auth
includes the right "auth suffficient pam-krb5.so use_first_pass" line, so I'm
not sure quite what the problem is.

In any case, the selinux problem is now fixed, and I see the same behavior with
it turned on or off.

Note You need to log in before you can comment on or make changes to this bug.