F12 beta, ldap authentication and NFS mounted home

Tim Fenn fenn at stanford.edu
Sun Oct 25 01:33:00 UTC 2009 

On Sat, 24 Oct 2009 07:58:47 -0400 Daniel J Walsh <dwalsh at redhat.com>
wrote:

> On 10/23/2009 07:08 PM, Tim Fenn wrote:
> > On Thu, 22 Oct 2009 08:28:04 -0400
> > Daniel J Walsh <dwalsh at redhat.com> wrote:
> > 
> >> On 10/22/2009 02:16 AM, Jeroen van Meeuwen wrote:
> >>> On 10/22/2009 02:04 AM, Tim Fenn wrote:
> >>>> I upgraded a machine from F10 to F12 beta - its a client machine
> >>>> that mounts /home over NFS and authenticates over LDAP (however,
> >>>> its a mac server that sets /home as /Volumes/Homes, which I have
> >>>> set up as a pointer to /home). use_nfs_home_dirs is on and I can
> >>>> log in via SSH or the console, but the graphical login fails when
> >>>> clicking "log in" with the following selinux error:
> >>>>
> >>>> SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read"
> >>>> access on Homes.
> >>>>
> >>>> I've attached the full sealart, am I missing something
> >>>> obvious/simple?
> >>>>
> >>>
> >>> FWIW, I had something similar with gdm-greeter, I think. I also
> >>> had a different problem[1] with gdm so I didn't give it much
> >>> attention at the time.
> >>>
> >> I need to see the AVC in /var/log/audit/audit.log to make sure I
> >> know the reason.
> >>
> > 
> > OK, I spent a bit more time on this today (sorry for the late
> > response, been busy with all these new operating systems this
> > week!).  Upon login, I get the audit_1.log (see attached), and upon
> > firing up startx, I get audit_2.log - it seems the link to /home is
> > whats causing the problem, audit2allow suggests
> > 
> > allow local_login_t default_t:lnk_file read;
> > allow consolekit_t default_t:lnk_file read;
> > 
> > but I'm not sure thats the "proper" solution - would it be better to
> > set /Volumes/Homes as the NFS mount and /home as a pointer to it?
> > 
> > -Tim
> > 
> Looks like a labeling problem.
> 
> The problem looks like you have a users home directories in a
> separate location.  And it is not labeled correctly.
> 
> The symbolic link is labeled with the default label, and the login
> programs are not able ro read this link.
> 
> You probably need to label it something like user_home_dir_t.
> 
> Homes is the link.
> 
> Is /volume/homes a sumbolic link to /home?
> 
> Are the users home dirs local or on a nother machine mounted via nfs?
> 

/home was the NFS mount, /volumes/homes was the symbolic link to it.
If I do the opposite (/volumes/homes as the NFS mount, /home as a link
to /volumes/homes), I don't see any selinux avc errors.  I'll leave it
at that for now, but let me know if you'd like additional information or
try out anything to further debug/test things.

-tim

-- 
CAPS LOCK IS THE CRUISE CONTROL OF AWESOMNESS

More information about the fedora-selinux-list mailing list