In order to satisfy http://fedoraproject.org/wiki/Features/KRB5CacheMove, as noted in bug #833026, I had to teach pam_krb5 to create /run/user/$UID, when needed, before pam_systemd is called and can tell systemd to do it. Currently, the additional permissions needed appear to be: time->Wed Sep 12 21:45:38 2012 type=SYSCALL msg=audit(1347500738.908:120): arch=c000003e syscall=83 success=no exit=-13 a0=7fff5f6f16e0 a1=1c0 a2=9d4 a3=65726373662f7274 items=0 ppid=1 pid=15374 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=4294967295 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1347500738.908:120): avc: denied { create } for pid=15374 comm="login" name="2510" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir ---- time->Wed Sep 12 21:59:25 2012 type=SYSCALL msg=audit(1347501565.625:134): arch=c000003e syscall=92 success=no exit=-13 a0=7fff009f5640 a1=9ce a2=9d4 a3=65726373662f7274 items=0 ppid=1 pid=15389 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=4294967295 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1347501565.625:134): avc: denied { setattr } for pid=15389 comm="login" name="2510" dev="tmpfs" ino=35715 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir Apparently these are enabled by the polyinstantiation_enabled boolean, but it looks like we're going to need them even when it isn't enabled.
Please note that this is login, but I expect that similar access will need to be granted to the various graphical desktop managers, sshd, and such.
Yes, basically we allow manage user tmp files without the boolean. So I added the following fix --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -206,6 +206,7 @@ interface(`auth_login_pgm_domain',` userdom_delete_user_tmp_files($1) userdom_search_admin_dir($1) userdom_stream_connect($1) + userdom_manage_user_tmp_dirs($1) userdom_manage_user_tmp_files($1) The change will affect the following domains # seinfo -xapolydomain polydomain xdm_t local_login_t rshd_t sshd_t remote_login_t rlogind_t
selinux-policy-3.11.1-21.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-21.fc18
Package selinux-policy-3.11.1-21.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-21.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-14225/selinux-policy-3.11.1-21.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-25.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-25.fc18
selinux-policy-3.11.1-21.fc18 has been pushed to the Fedora 18 obsolete repository. If problems still persist, please make note of it in this bug report.