I upgraded a machine from F10 to F12 beta - its a client machine that mounts /home over NFS and authenticates over LDAP (however, its a mac server that sets /home as /Volumes/Homes, which I have set up as a pointer to /home). use_nfs_home_dirs is on and I can log in via SSH or the console, but the graphical login fails when clicking "log in" with the following selinux error:
SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" access on Homes.
I've attached the full sealart, am I missing something obvious/simple?
Thanks for any help! -Tim
On 10/22/2009 02:04 AM, Tim Fenn wrote:
I upgraded a machine from F10 to F12 beta - its a client machine that mounts /home over NFS and authenticates over LDAP (however, its a mac server that sets /home as /Volumes/Homes, which I have set up as a pointer to /home). use_nfs_home_dirs is on and I can log in via SSH or the console, but the graphical login fails when clicking "log in" with the following selinux error:
SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" access on Homes.
I've attached the full sealart, am I missing something obvious/simple?
FWIW, I had something similar with gdm-greeter, I think. I also had a different problem[1] with gdm so I didn't give it much attention at the time.
-- Jeroen
On 10/22/2009 02:16 AM, Jeroen van Meeuwen wrote:
On 10/22/2009 02:04 AM, Tim Fenn wrote:
I upgraded a machine from F10 to F12 beta - its a client machine that mounts /home over NFS and authenticates over LDAP (however, its a mac server that sets /home as /Volumes/Homes, which I have set up as a pointer to /home). use_nfs_home_dirs is on and I can log in via SSH or the console, but the graphical login fails when clicking "log in" with the following selinux error:
SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" access on Homes.
I've attached the full sealart, am I missing something obvious/simple?
FWIW, I had something similar with gdm-greeter, I think. I also had a different problem[1] with gdm so I didn't give it much attention at the time.
-- Jeroen
[1] https://bugzilla.redhat.com/show_bug.cgi?id=530041
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I need to see the AVC in /var/log/audit/audit.log to make sure I know the reason.
Make sure the use_nfs_home_dirs boolean is turned on.
# getsebool use_nfs_home_dirs use_nfs_home_dirs --> on
On Thu, 22 Oct 2009 08:28:04 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
On 10/22/2009 02:16 AM, Jeroen van Meeuwen wrote:
On 10/22/2009 02:04 AM, Tim Fenn wrote:
I upgraded a machine from F10 to F12 beta - its a client machine that mounts /home over NFS and authenticates over LDAP (however, its a mac server that sets /home as /Volumes/Homes, which I have set up as a pointer to /home). use_nfs_home_dirs is on and I can log in via SSH or the console, but the graphical login fails when clicking "log in" with the following selinux error:
SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" access on Homes.
I've attached the full sealart, am I missing something obvious/simple?
FWIW, I had something similar with gdm-greeter, I think. I also had a different problem[1] with gdm so I didn't give it much attention at the time.
-- Jeroen
[1] https://bugzilla.redhat.com/show_bug.cgi?id=530041
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I need to see the AVC in /var/log/audit/audit.log to make sure I know the reason.
Make sure the use_nfs_home_dirs boolean is turned on.
Yes, it is. Upon further investigation, it appears gdm is just crashing - I'll look into related bug reports. The selinux alert may be for something else, I'll post the audit.log next time I catch it.
-Tim
On Thu, 22 Oct 2009 08:28:04 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
On 10/22/2009 02:16 AM, Jeroen van Meeuwen wrote:
On 10/22/2009 02:04 AM, Tim Fenn wrote:
I upgraded a machine from F10 to F12 beta - its a client machine that mounts /home over NFS and authenticates over LDAP (however, its a mac server that sets /home as /Volumes/Homes, which I have set up as a pointer to /home). use_nfs_home_dirs is on and I can log in via SSH or the console, but the graphical login fails when clicking "log in" with the following selinux error:
SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" access on Homes.
I've attached the full sealart, am I missing something obvious/simple?
FWIW, I had something similar with gdm-greeter, I think. I also had a different problem[1] with gdm so I didn't give it much attention at the time.
I need to see the AVC in /var/log/audit/audit.log to make sure I know the reason.
OK, I spent a bit more time on this today (sorry for the late response, been busy with all these new operating systems this week!). Upon login, I get the audit_1.log (see attached), and upon firing up startx, I get audit_2.log - it seems the link to /home is whats causing the problem, audit2allow suggests
allow local_login_t default_t:lnk_file read; allow consolekit_t default_t:lnk_file read;
but I'm not sure thats the "proper" solution - would it be better to set /Volumes/Homes as the NFS mount and /home as a pointer to it?
-Tim
On 10/23/2009 07:08 PM, Tim Fenn wrote:
On Thu, 22 Oct 2009 08:28:04 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
On 10/22/2009 02:16 AM, Jeroen van Meeuwen wrote:
On 10/22/2009 02:04 AM, Tim Fenn wrote:
I upgraded a machine from F10 to F12 beta - its a client machine that mounts /home over NFS and authenticates over LDAP (however, its a mac server that sets /home as /Volumes/Homes, which I have set up as a pointer to /home). use_nfs_home_dirs is on and I can log in via SSH or the console, but the graphical login fails when clicking "log in" with the following selinux error:
SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" access on Homes.
I've attached the full sealart, am I missing something obvious/simple?
FWIW, I had something similar with gdm-greeter, I think. I also had a different problem[1] with gdm so I didn't give it much attention at the time.
I need to see the AVC in /var/log/audit/audit.log to make sure I know the reason.
OK, I spent a bit more time on this today (sorry for the late response, been busy with all these new operating systems this week!). Upon login, I get the audit_1.log (see attached), and upon firing up startx, I get audit_2.log - it seems the link to /home is whats causing the problem, audit2allow suggests
allow local_login_t default_t:lnk_file read; allow consolekit_t default_t:lnk_file read;
but I'm not sure thats the "proper" solution - would it be better to set /Volumes/Homes as the NFS mount and /home as a pointer to it?
-Tim
Looks like a labeling problem.
The problem looks like you have a users home directories in a separate location. And it is not labeled correctly.
The symbolic link is labeled with the default label, and the login programs are not able ro read this link.
You probably need to label it something like user_home_dir_t.
Homes is the link.
Is /volume/homes a sumbolic link to /home?
Are the users home dirs local or on a nother machine mounted via nfs?
On Sat, 24 Oct 2009 07:58:47 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
On 10/23/2009 07:08 PM, Tim Fenn wrote:
On Thu, 22 Oct 2009 08:28:04 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
On 10/22/2009 02:16 AM, Jeroen van Meeuwen wrote:
On 10/22/2009 02:04 AM, Tim Fenn wrote:
I upgraded a machine from F10 to F12 beta - its a client machine that mounts /home over NFS and authenticates over LDAP (however, its a mac server that sets /home as /Volumes/Homes, which I have set up as a pointer to /home). use_nfs_home_dirs is on and I can log in via SSH or the console, but the graphical login fails when clicking "log in" with the following selinux error:
SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" access on Homes.
I've attached the full sealart, am I missing something obvious/simple?
FWIW, I had something similar with gdm-greeter, I think. I also had a different problem[1] with gdm so I didn't give it much attention at the time.
I need to see the AVC in /var/log/audit/audit.log to make sure I know the reason.
OK, I spent a bit more time on this today (sorry for the late response, been busy with all these new operating systems this week!). Upon login, I get the audit_1.log (see attached), and upon firing up startx, I get audit_2.log - it seems the link to /home is whats causing the problem, audit2allow suggests
allow local_login_t default_t:lnk_file read; allow consolekit_t default_t:lnk_file read;
but I'm not sure thats the "proper" solution - would it be better to set /Volumes/Homes as the NFS mount and /home as a pointer to it?
-Tim
Looks like a labeling problem.
The problem looks like you have a users home directories in a separate location. And it is not labeled correctly.
The symbolic link is labeled with the default label, and the login programs are not able ro read this link.
You probably need to label it something like user_home_dir_t.
Homes is the link.
Is /volume/homes a sumbolic link to /home?
Are the users home dirs local or on a nother machine mounted via nfs?
/home was the NFS mount, /volumes/homes was the symbolic link to it. If I do the opposite (/volumes/homes as the NFS mount, /home as a link to /volumes/homes), I don't see any selinux avc errors. I'll leave it at that for now, but let me know if you'd like additional information or try out anything to further debug/test things.
-tim
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Jeroen van Meeuwen -
Tim Fenn