Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 119597
Summary: | cannot login -- cannot find home directory | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Gene Czarcinski <gczarcinski> |
Component: | policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | devscott, leonard-rh-bugzilla, pgraner, tjsmith |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2004-05-11 11:11:33 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 122683 |
Description
Gene Czarcinski
2004-03-31 20:08:39 UTC
*** Bug 119658 has been marked as a duplicate of this bug. *** Not sure what caused this, but todays policy seems to work 1.9.2-1 Not sure what caused this, but todays policy seems to work 1.9.2-1 Doesn't work here (policy-1.9.2-1 and policycoreutils-1.9-19) - I cannot login via gdm at all (neither as root nor normal user: home directory doesn not exist) unless I turn enforcing off. I relabeled the filesystem and rebooted after upgrading. I also updated. I also have the problem back. Here are the messages I get when I try to login (from /var/log/messages): Apr 2 04:18:03 hummer gdm(pam_unix)[12970]: session opened for user czarcing by (uid=0) Apr 2 04:18:03 hummer kernel: audit(1080897483.768:0): avc: denied { getattr } for pid=12970 exe=/usr/bin/gdm-binary path=/home/czarcing dev=hda10 ino=1209338 scontext=system_u:system_r:xdm_t tcontext=czarcing:object_r:staff_home_dir_t tclass=dir Apr 2 04:18:03 hummer gdm[12970]: gdm_slave_session_start: Home directory for czarcing: '/home/czarcing' does not exist! Apr 2 04:18:09 hummer gdm(pam_unix)[12970]: session closed for user czarcing add allow xdm_t $1_home_dir_t:dir { getattr }; to /etc/security/selinux/src/policy/macros/base_user_macros.te under the xdm section, then type make -C /etc/security/selinux/src/policy load This is fixed in policy-1.9.2-5 *** Bug 119764 has been marked as a duplicate of this bug. *** OK, I am still getting something wrong. I added the "allow" line to the endof the file and get: /usr/bin/checkpolicy -o /etc/security/selinux/policy.16 /etc/security/selinux/src/policy.conf /usr/bin/checkpolicy: loading policy configuration from /etc/security/selinux/src/policy.conf macros/base_user_macros.te:332:WARNING 'unrecognized character' at token '$' on line 1676: allow xdm_t $1_home_dir_t:dir { getattr }; macros/base_user_macros.te:332:ERROR 'syntax error' at token '1' on line 1676: allow xdm_t $1_home_dir_t:dir { getattr }; /usr/bin/checkpolicy: error(s) encountered while parsing configuration You put it in the wrong place. It needs to be with the other xdm stuff. Basically this is within a macro so if you look for xdm_t in the file and put this line after it the $1 will get translated. Dan Success! I believe I really need to read those papers on SELinux policy so that I can understand how to fix and/or understand policy related problems better. Suggestion ... when suggesting adding something to a file, put your suggestion into more or less "patch" format so that we (who do not understand the fine points) can get it right the first time ... you said add a line so I added it to the end of the file. I will do that. I am also considering putting updated policy for people to try on my people page, so you don't have to wait twenty four hours. Dan Install from CD on 3-31 was okay. I got this same problem after doing a yum update on 4-1 (about 150 packages). I believe a policy update was in the mix. I could only get into the failsafe session as root/staff_r. Had to newrole -r sysadm_r to run as real root. setfiles /home didn't fix the problem. Neither did fixfiles relabel (and reboot). Looking in /etc/security/selinux I found a policy.15 file and a policy.16 file. The policy.16 file was date stamped as the original install from CD. The policy.15 file was date stamped March 24, which I assume was time of packaging. I moved the policy.16 file to /root leaving only file_contexts and policy.15 in the selinux directory. When I went to logout gdm got caught in a loop trying to restart over and over. A three-finger salute took the system down via init6. After the reboot, the system is AOK. Login with home directory and enforcement is on. No scientific analysis was done here. I just "tried something" and it worked. Hope this helps. Phil I'm still having problems here. I loaded the updated policy and rebooted. Things initially looked fine, but after logging in via gdm as my normal user, I discovered I couldn't start many processes. I logged out, and X11 won't start any more. I got stuck in the start-fail-retry loop with X until it gave up. I ran another fixfiles and rebooted, but no changes. Still throwing multiple denied messages like so: Apr 2 21:29:52 pontifex kernel: audit(1080966592.925:0): avc: denied { read append } for pid=1668 exe=/usr/bin/gdm-binary name=.Xauthority dev=hde4 ino=357693 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:user_home_xauth_t tclass=file and Apr 2 21:29:52 pontifex kernel: audit(1080966592.930:0): avc: denied { write } for pid=1668 exe=/usr/bin/gdm-binary name=sfarrow dev=hde4 ino=32513 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:user_home_dir_t tclass=dir Apr 2 21:29:52 pontifex gdm[1668]: run_session_child: Could not open ~/.xsession-errors Probably related, gnome failsafe login session fails to start a terminal. A full login works, but unable to start many common apps, like Mozilla. Policy and kernel version are: policy-1.9.2-5 kernel-2.6.4-1.300 - Scott Is the issue in comment #14 resolved? |