Bug 432054 - pam_timestamp denial logging in to nfs home dir
pam_timestamp denial logging in to nfs home dir
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2008-02-08 11:19 EST by Orion Poplawski
Modified: 2008-11-15 22:04 EST (History)
0 users

See Also:
Fixed In Version: 3.0.8-102.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-11-15 22:04:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2008-02-08 11:19:56 EST
Description of problem:

We use nfs home dirs (and use_nfs_home_dirs is on).  On login we get:

Feb  8 08:36:37 ranier kernel: audit(1202484997.203:6): avc:  denied  { write }
for  pid=16475 comm="pam_timestamp_c" path="/home/furey/.xsession-errors"
dev=0:1d ino=7989204 scontext=unconfined_u:system_r:pam_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=file

Version-Release number of selected component (if applicable):
Comment 1 Daniel Walsh 2008-02-11 17:23:21 EST
# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-84.fc8
Comment 2 Orion Poplawski 2008-02-19 14:10:59 EST
Indeed fixed for NFS home dirs.

Seeing this with home directories on a laptop and 3.0.8-85.fc8:

Feb 19 11:17:39 cynosure kernel: audit(1203445059.164:9): avc:  denied  { write
} for  pid=2862 comm="pam_timestamp_c"
path="/export/home/orion/.xsession-errors" dev=sda3 ino=6345010
tcontext=system_u:object_r:unconfined_home_t:s0 tclass=file

[root@cynosure ~]# ls -Zd /export/
drwxr-xr-x  root root system_u:object_r:usr_t:s0       /export/
[root@cynosure ~]# ls -Zd /export/home
drwxr-xr-x  root root system_u:object_r:home_root_t:s0 /export/home
[root@cynosure ~]# ls -Zd /export/home/orion/
drwxr-xr-x  orion cora unconfined_u:object_r:unconfined_home_dir_t:s0
Comment 3 Daniel Walsh 2008-05-07 14:05:14 EDT
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-102.fc8
Comment 4 Orion Poplawski 2008-06-03 13:58:01 EDT
Appears to be fixed.  Thanks!
Comment 5 Orion Poplawski 2008-06-20 16:01:36 EDT
Seems to be back, two flavors:


Jun 20 10:03:51 laplata kernel: type=1400 audit(1213977831.562:3): avc:  denied
 { write } for  pid=2933 comm="pam_timestamp_c"
path="/export/home/alexand/.xsession-errors" dev=sda6 ino=33588206
tcontext=unconfined_u:object_r:unconfined_home_t:s0 tclass=file

Jun 18 10:43:52 makani kernel: type=1400 audit(1213807432.970:4): avc:  denied 
{ ioctl } for  pid=3468 comm="pam_timestamp_c"
path="/home/orion/.xsession-errors" dev=0:1b ino=12310937
scontext=unconfined_u:system_r:pam_t:s0 tcontext=system_u:object_r:nfs_t:s0
Comment 6 Daniel Walsh 2008-06-22 06:48:20 EDT
This looks like it is fixed properly in F9.

I will add a fix for f8.

Fixed in selinux-policy-3.0.8-110.fc8
Comment 7 Orion Poplawski 2008-08-18 13:09:37 EDT
Still seeing:

Aug 11 13:42:19 cynosure kernel: type=1400 audit(1218483739.464:4): avc:  denied  { write } for  pid=2963 comm="pam_timestamp_c" path="/export/home/orion/.xsession-errors" dev=sda3 ino=1768490 scontext=unconfined_u:system_r:pam_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_home_t:s0 tclass=file

on my laptop local home directories with selinux-policy-3.0.8-113.fc8
Comment 8 Daniel Walsh 2008-08-29 12:43:34 EDT
Fixed in selinux-policy-3.0.8-115.fc8
Comment 9 Orion Poplawski 2008-11-15 22:04:32 EST

Note You need to log in before you can comment on or make changes to this bug.