246633 – logins fail on NFS/krb5 home directory

Bug 246633 - logins fail on NFS/krb5 home directory

Summary: logins fail on NFS/krb5 home directory

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-07-03 15:07 UTC by J. Bruce Fields
Modified:	2007-11-30 22:12 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-07-11 19:22:59 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description J. Bruce Fields 2007-07-03 15:07:40 UTC

Description of problem:

A login from gdm results in an error message stating that my home directory
doesn't exist.  My home directory is on a kerberized NFSv4 mount.  I see the
following in /var/log/messages:

Jul  3 10:49:48 pear kernel: audit(1183474187.919:8): avc:  denied  { getattr }
for  pid=2984 comm="gdm-binary" name="" dev=0:15 ino=2
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:nfs_t:s0 tclass=dir
Jul  3 10:49:48 pear gdmgreeter[3029]: GLib-GObject-WARNING: invalid cast from
`GnomeCanvas' to `GtkWindow'
Jul  3 10:49:56 pear kernel: audit(1183474196.419:9): avc:  denied  { lock } for
 pid=2261 comm="rpc.gssd" name="krb5cc_2815" dev=dm-0 ino=16040643
scontext=system_u:system_r:gssd_t:s0
tcontext=system_u:object_r:unconfined_tmp_t:s0 tclass=file
Jul  3 10:49:56 pear rpc.gssd[2261]: ERROR: GSS-API: error in
gss_acquire_cred(): Unspecified GSS failure.  Minor code may provide more
information - Resource temporarily unavailable 
Jul  3 10:49:56 pear rpc.gssd[2261]: WARNING: Failed to create krb5 context for
user with uid 2815 for server screamer.citi.umich.edu 
Jul  3 10:49:56 pear gdm-binary[2984]: WARNING: gdm_slave_session_start: Home
directory for bfields: '/home/bfields' does not exist!

After "setenforce permissive", the login succeeds.

Version-Release number of selected component (if applicable):

Latest rawhide as of this (July 3) morning:
$ rpm -qa|grep selinux-policy
selinux-policy-targeted-3.0.1-6.fc8
selinux-policy-3.0.1-6.fc8

Comment 1 Daniel Walsh 2007-07-03 17:41:28 UTC

setsebool -P use_nfs_home_dirs=1 

Should fix this.

Comment 2 J. Bruce Fields 2007-07-03 17:57:03 UTC

I logged out, ran "setenforce enforcing", verified that I couldn't log back in,
then ran the suggested "setsebool -P use_nfs_home_dirs=1" after which I can
indeed log in.  However, I soon lose access to the home directory, and have to
set the mode back to permissive again to regain access.  The logs are full of
messages like:

Jul  3 13:51:27 pear kernel: audit(1183485087.360:479): avc:  denied  { lock }
for  pid=2261 comm="rpc.gssd" name="krb5cc_2815" dev=dm-0 ino=16040643
scontext=system_u:system_r:gssd_t:s0
tcontext=system_u:object_r:unconfined_tmp_t:s0 tclass=file
Jul  3 13:51:27 pear rpc.gssd[2261]: ERROR: GSS-API: error in
gss_acquire_cred(): Unspecified GSS failure.  Minor code may provide more
information - Resource temporarily unavailable 
Jul  3 13:51:27 pear rpc.gssd[2261]: WARNING: Failed to create krb5 context for
user with uid 2815 for server screamer.citi.umich.edu

Comment 4 Daniel Walsh 2007-07-11 17:20:05 UTC

Should be fixed in selinux-policy-3.0.2-3.fc8

Comment 5 J. Bruce Fields 2007-07-11 18:27:09 UTC

Thanks.  I can now log in with selinux turned on, *if* I've previously kinit'd
to get kerberos credentials.  If not, the login fails.  /etc/pam.d/system-auth
includes the right "auth suffficient pam-krb5.so use_first_pass" line, so I'm
not sure quite what the problem is.

In any case, the selinux problem is now fixed, and I see the same behavior with
it turned on or off.

Note You need to log in before you can comment on or make changes to this bug.