Description of problem: Logins fail with nfs home directories on fedora 16 beta. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.10.0-36.fc16.noarch How reproducible: Every time Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: Did not see avc until we diabled autofs and hard mounted nfs home directories. Fix with the following policy: module mysystem 1.0; require { type nfs_t; type system_dbusd_t; class file read; } #============= system_dbusd_t ============== allow system_dbusd_t nfs_t:file read;
Could you attach raw AVC message? Also what does # id -Z # ps -eZ |grep system_dbusd after login?
id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ps -eZ | grep system_dbusd system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 1032 ? 00:00:00 dbus-daemon I hope this is the right AVC message: time->Tue Oct 4 22:08:43 2011 type=SYSCALL msg=audit(1317791323.773:156): arch=c000003e syscall=47 success=yes exit=414 a0=39 a1=7fff12095900 a2=40000000 a3=0 items=0 ppid=1 pid=1013 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1317791323.773:156): avc: denied { read } for pid=1013 comm="dbus-daemon" path="/home/dhighley/.local/share/icc/edid-af1112047384956b4aed12065b86eebe.icc" dev=0:26 ino=204046021 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file
Retested with the beta fedora 16 release and selinux-policy-targeted-3.10.0-36.fc16.noarch. Still get failed login. The avc's are: time->Sun Oct 9 20:58:04 2011 type=SYSCALL msg=audit(1318219084.591:297): arch=c000003e syscall=263 success=yes exit=0 a0=d a1=7fff5d0e6c13 a2=0 a3=0 items=0 ppid=1 pid=3350 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null) type=AVC msg=audit(1318219084.591:297): avc: denied { unlink } for pid=3350 comm="systemd-logind" name="user" dev=tmpfs ino=37013 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=file ---- time->Sun Oct 9 20:59:14 2011 type=SYSCALL msg=audit(1318219154.602:353): arch=c000003e syscall=47 success=yes exit=414 a0=18 a1=7fff9c616890 a2=40000000 a3=0 items=0 ppid=1 pid=3412 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1318219154.602:353): avc: denied { read } for pid=3412 comm="dbus-daemon" path="/home/dhighley/.local/share/icc/edid-af1112047384956b4aed12065b86eebe.icc" dev=0:2e ino=204046021 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file ---- time->Sun Oct 9 20:59:15 2011 type=SYSCALL msg=audit(1318219155.917:355): arch=c000003e syscall=47 success=yes exit=414 a0=22 a1=7fff9c616890 a2=40000000 a3=0 items=0 ppid=1 pid=3412 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1318219155.917:355): avc: denied { read } for pid=3412 comm="dbus-daemon" path="/home/dhighley/.local/share/icc/edid-af1112047384956b4aed12065b86eebe.icc" dev=0:2e ino=204046021 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file
The first AVC is fixed i -38.fc16 release. # yum update selinux-policy The second AVC will fix in -39.fc16 release.
selinux-policy-3.10.0-40.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-40.fc16
Package selinux-policy-3.10.0-40.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-40.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-14363 then log in and leave karma (feedback).
Confirmed that selinux-policy-3.10.0-40.fc16 fixes the issue reported.
selinux-policy-3.10.0-40.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.