Bug 744107 - Login failure with nfs home directories
Summary: Login failure with nfs home directories
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 16
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-10-07 04:27 UTC by David Highley
Modified: 2011-10-19 04:32 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-3.10.0-40.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-16 18:39:55 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description David Highley 2011-10-07 04:27:29 UTC 
Description of problem:
Logins fail with nfs home directories on fedora 16 beta.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.10.0-36.fc16.noarch

How reproducible:
Every time

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Did not see avc until we diabled autofs and hard mounted nfs home directories. Fix with the following policy:
module mysystem 1.0;

require {
	type nfs_t;
	type system_dbusd_t;
	class file read;
}

#============= system_dbusd_t ==============
allow system_dbusd_t nfs_t:file read;
Comment 1 Miroslav Grepl 2011-10-07 07:12:34 UTC 
Could you attach raw AVC message?

Also what does 

# id -Z

# ps -eZ |grep system_dbusd

after login?
Comment 2 David Highley 2011-10-07 23:02:27 UTC 
id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

ps -eZ | grep system_dbusd
system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 1032 ? 00:00:00 dbus-daemon

I hope this is the right AVC message:
time->Tue Oct  4 22:08:43 2011
type=SYSCALL msg=audit(1317791323.773:156): arch=c000003e syscall=47 success=yes exit=414 a0=39 a1=7fff12095900 a2=40000000 a3=0 items=0 ppid=1 pid=1013 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1317791323.773:156): avc:  denied  { read } for  pid=1013 comm="dbus-daemon" path="/home/dhighley/.local/share/icc/edid-af1112047384956b4aed12065b86eebe.icc" dev=0:26 ino=204046021 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file
Comment 3 David Highley 2011-10-10 04:02:43 UTC 
Retested with the beta fedora 16 release and selinux-policy-targeted-3.10.0-36.fc16.noarch. Still get failed login. The avc's are:


time->Sun Oct  9 20:58:04 2011
type=SYSCALL msg=audit(1318219084.591:297): arch=c000003e syscall=263 success=yes exit=0 a0=d a1=7fff5d0e6c13 a2=0 a3=0 items=0 ppid=1 pid=3350 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(1318219084.591:297): avc:  denied  { unlink } for  pid=3350 comm="systemd-logind" name="user" dev=tmpfs ino=37013 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=file
----
time->Sun Oct  9 20:59:14 2011
type=SYSCALL msg=audit(1318219154.602:353): arch=c000003e syscall=47 success=yes exit=414 a0=18 a1=7fff9c616890 a2=40000000 a3=0 items=0 ppid=1 pid=3412 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1318219154.602:353): avc:  denied  { read } for  pid=3412 comm="dbus-daemon" path="/home/dhighley/.local/share/icc/edid-af1112047384956b4aed12065b86eebe.icc" dev=0:2e ino=204046021 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file
----
time->Sun Oct  9 20:59:15 2011
type=SYSCALL msg=audit(1318219155.917:355): arch=c000003e syscall=47 success=yes exit=414 a0=22 a1=7fff9c616890 a2=40000000 a3=0 items=0 ppid=1 pid=3412 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1318219155.917:355): avc:  denied  { read } for  pid=3412 comm="dbus-daemon" path="/home/dhighley/.local/share/icc/edid-af1112047384956b4aed12065b86eebe.icc" dev=0:2e ino=204046021 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file
Comment 4 Miroslav Grepl 2011-10-10 13:14:42 UTC 
The first AVC is fixed i -38.fc16 release.

# yum update selinux-policy

The second AVC will fix in -39.fc16 release.
Comment 5 Fedora Update System 2011-10-14 16:19:11 UTC 
selinux-policy-3.10.0-40.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-40.fc16
Comment 6 Fedora Update System 2011-10-15 14:32:51 UTC 
Package selinux-policy-3.10.0-40.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-40.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-14363
then log in and leave karma (feedback).
Comment 7 David Highley 2011-10-16 02:20:01 UTC 
Confirmed that selinux-policy-3.10.0-40.fc16 fixes the issue reported.
Comment 8 Fedora Update System 2011-10-19 04:32:28 UTC 
selinux-policy-3.10.0-40.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.