selinux-policy-3.10.0-55.fc16.noarch use_fusefs_home_dirs --> on My home folders are fuse-mounted (glusterfs). When logging on, gnome-shell crashes because of this: type=AVC msg=audit(1321026450.589:20): avc: denied { read } for pid=1015 comm="dbus-daemon" path="/fileserver/home/mjc/.local/share/icc/edid-d560eef024ea9e585314edae583d0826.icc" dev=fuse ino=24380124 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=file audit2allow recommends this: allow system_dbusd_t fusefs_t:file read; If I "setenforce 0", I can log in. A full "audit2allow -a" then gives: #============= mount_t ============== allow mount_t colord_t:file { read getattr open }; allow mount_t setroubleshootd_t:file { read getattr open }; allow mount_t system_dbusd_t:file { read getattr open }; allow mount_t unconfined_dbusd_t:file { read getattr open }; allow mount_t unconfined_java_t:file { read getattr open }; allow mount_t unconfined_t:file { read getattr open }; #============= system_dbusd_t ============== allow system_dbusd_t fusefs_t:file read; I'll attach the full audit log. - Mike
Created attachment 533101 [details] audit log
Do you have use_fusefs_home_dirs turned on? setsebool -P use_fusefs_home_dirs 1
Yes. [root@xena mjc]# getsebool use_fusefs_home_dirs use_fusefs_home_dirs --> on
Can you run in permissive mode and gather all the AVC's about fusefs.
Created attachment 533520 [details] log of denied stuff, from logging in this morning Here's a log of things that selinux denied when logging into gnome-shell this morning, showing the various glusterfs/fusefs issues.
Miroslav, I made changes to mount to handle this in Rawhide. I think we should think about back porting the userdom_home_manager stuff from F17 and cleaning this all up for gluster.
Fixed in selinux-policy-3.10.0-58.fc16. Will backport userdom_home_manager stuff in the next release.
selinux-policy-3.10.0-59.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-59.fc16
Package selinux-policy-3.10.0-60.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-60.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16371/selinux-policy-3.10.0-60.fc16 then log in and leave karma (feedback).
Created attachment 536243 [details] denial log, with selinux-policy-targeted-3.10.0-60.fc16.noarch I'm still having some issues, even with the updated policy. gnome-shell is still crashing on icc/dbus stuff. Log attached. selinux-policy-3.10.0-60.fc16.noarch selinux-policy-targeted-3.10.0-60.fc16.noarch
Package selinux-policy-3.10.0-61.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-61.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16371/selinux-policy-3.10.0-61.fc16 then log in and leave karma (feedback).
I apologize, I added it only for session bus type.
Fixed in selinux-policy-3.10.0-62.fc16
I don't see 3.10.0-62 in koji...
Never mind, it's there now.
And my problems are fixed with 3.10.0-62. Thank you!
selinux-policy-3.10.0-61.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.