On Sat, 24 Oct 2009 07:58:47 -0400 Daniel J Walsh <dwalsh(a)redhat.com>
On 10/23/2009 07:08 PM, Tim Fenn wrote:
> On Thu, 22 Oct 2009 08:28:04 -0400
> Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>> On 10/22/2009 02:16 AM, Jeroen van Meeuwen wrote:
>>> On 10/22/2009 02:04 AM, Tim Fenn wrote:
>>>> I upgraded a machine from F10 to F12 beta - its a client machine
>>>> that mounts /home over NFS and authenticates over LDAP (however,
>>>> its a mac server that sets /home as /Volumes/Homes, which I have
>>>> set up as a pointer to /home). use_nfs_home_dirs is on and I can
>>>> log in via SSH or the console, but the graphical login fails when
>>>> clicking "log in" with the following selinux error:
>>>> SELinux is preventing /usr/libexec/ck-get-x11-server-pid
>>>> access on Homes.
>>>> I've attached the full sealart, am I missing something
>>> FWIW, I had something similar with gdm-greeter, I think. I also
>>> had a different problem with gdm so I didn't give it much
>>> attention at the time.
>> I need to see the AVC in /var/log/audit/audit.log to make sure I
>> know the reason.
> OK, I spent a bit more time on this today (sorry for the late
> response, been busy with all these new operating systems this
> week!). Upon login, I get the audit_1.log (see attached), and upon
> firing up startx, I get audit_2.log - it seems the link to /home is
> whats causing the problem, audit2allow suggests
> allow local_login_t default_t:lnk_file read;
> allow consolekit_t default_t:lnk_file read;
> but I'm not sure thats the "proper" solution - would it be better to
> set /Volumes/Homes as the NFS mount and /home as a pointer to it?
Looks like a labeling problem.
The problem looks like you have a users home directories in a
separate location. And it is not labeled correctly.
The symbolic link is labeled with the default label, and the login
programs are not able ro read this link.
You probably need to label it something like user_home_dir_t.
Homes is the link.
Is /volume/homes a sumbolic link to /home?
Are the users home dirs local or on a nother machine mounted via nfs?
/home was the NFS mount, /volumes/homes was the symbolic link to it.
If I do the opposite (/volumes/homes as the NFS mount, /home as a link
to /volumes/homes), I don't see any selinux avc errors. I'll leave it
at that for now, but let me know if you'd like additional information or
try out anything to further debug/test things.
CAPS LOCK IS THE CRUISE CONTROL OF AWESOMNESS