F12 beta, ldap authentication and NFS mounted home
|
View:
New views
7 Messages
—
Rating Filter:
Alert me
|
 |
F12 beta, ldap authentication and NFS mounted home
by Tim Fenn
::
Rate this Message:
I upgraded a machine from F10 to F12 beta - its a client machine that
mounts /home over NFS and authenticates over LDAP (however, its a mac server that sets /home as /Volumes/Homes, which I have set up as a pointer to /home). use_nfs_home_dirs is on and I can log in via SSH or the console, but the graphical login fails when clicking "log in" with the following selinux error: SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" access on Homes. I've attached the full sealart, am I missing something obvious/simple? Thanks for any help! -Tim -- --------------------------------------------------------- Tim Fenn fenn@... Stanford University, School of Medicine James H. Clark Center 318 Campus Drive, Room E300 Stanford, CA 94305-5432 Phone: (650) 736-1714 FAX: (650) 736-1961 --------------------------------------------------------- Summary: SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" access on Homes. Detailed Description: SELinux denied access requested by ck-get-x11-serv. It is not expected that this access is required by ck-get-x11-serv and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:default_t:s0 Target Objects Homes [ lnk_file ] Source ck-get-x11-serv Source Path /usr/libexec/ck-get-x11-server-pid Port <Unknown> Host XXXXXX.stanford.edu Source RPM Packages ConsoleKit-x11-0.4.1-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-27.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name XXXXXX.stanford.edu Platform Linux XXXXXX.stanford.edu 2.6.31.1-56.fc12.x86_64 #1 SMP Tue Sep 29 16:16:22 EDT 2009 x86_64 x86_64 Alert Count 5 First Seen Wed Oct 21 16:35:50 2009 Last Seen Wed Oct 21 16:44:51 2009 Local ID 6707cb82-aa80-4b60-8ade-44532583e08f Line Numbers Raw Audit Messages node=XXXXXX.stanford.edu type=AVC msg=audit(1256168691.455:24129): avc: denied { read } for pid=2716 comm="ck-get-x11-serv" name="Homes" dev=dm-0 ino=218 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file node=XXXXXXX.stanford.edu type=SYSCALL msg=audit(1256168691.455:24129): arch=c000003e syscall=21 success=no exit=-13 a0=7fff8c2a3f54 a1=4 a2=3 a3=fffffffffffffb8d items=0 ppid=2715 pid=2716 auid=4294967295 uid=1029 gid=20 euid=1029 suid=1029 fsuid=1029 egid=20 sgid=20 fsgid=20 tty=(none) ses=4294967295 comm="ck-get-x11-serv" exe="/usr/libexec/ck-get-x11-server-pid" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null) -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
|
|
Re: F12 beta, ldap authentication and NFS mounted home
by Jeroen van Meeuwen-2
::
Rate this Message:
On 10/22/2009 02:04 AM, Tim Fenn wrote:
> I upgraded a machine from F10 to F12 beta - its a client machine that > mounts /home over NFS and authenticates over LDAP (however, its a mac > server that sets /home as /Volumes/Homes, which I have set up as a > pointer to /home). use_nfs_home_dirs is on and I can log in via SSH or > the console, but the graphical login fails when clicking "log in" with > the following selinux error: > > SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" access > on Homes. > > I've attached the full sealart, am I missing something obvious/simple? > FWIW, I had something similar with gdm-greeter, I think. I also had a different problem[1] with gdm so I didn't give it much attention at the time. -- Jeroen [1] https://bugzilla.redhat.com/show_bug.cgi?id=530041 -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
|
|
Re: F12 beta, ldap authentication and NFS mounted home
by Daniel J Walsh
::
Rate this Message:
On 10/22/2009 02:16 AM, Jeroen van Meeuwen wrote:
> On 10/22/2009 02:04 AM, Tim Fenn wrote: >> I upgraded a machine from F10 to F12 beta - its a client machine that >> mounts /home over NFS and authenticates over LDAP (however, its a mac >> server that sets /home as /Volumes/Homes, which I have set up as a >> pointer to /home). use_nfs_home_dirs is on and I can log in via SSH or >> the console, but the graphical login fails when clicking "log in" with >> the following selinux error: >> >> SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" access >> on Homes. >> >> I've attached the full sealart, am I missing something obvious/simple? >> > > FWIW, I had something similar with gdm-greeter, I think. I also had a > different problem[1] with gdm so I didn't give it much attention at the > time. > > -- Jeroen > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=530041 > > -- > fedora-selinux-list mailing list > fedora-selinux-list@... > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Make sure the use_nfs_home_dirs boolean is turned on. # getsebool use_nfs_home_dirs use_nfs_home_dirs --> on -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
|
|
Re: F12 beta, ldap authentication and NFS mounted home
by Tim Fenn
::
Rate this Message:
On Thu, 22 Oct 2009 08:28:04 -0400 Daniel J Walsh <dwalsh@...>
wrote: > On 10/22/2009 02:16 AM, Jeroen van Meeuwen wrote: > > On 10/22/2009 02:04 AM, Tim Fenn wrote: > >> I upgraded a machine from F10 to F12 beta - its a client machine > >> that mounts /home over NFS and authenticates over LDAP (however, > >> its a mac server that sets /home as /Volumes/Homes, which I have > >> set up as a pointer to /home). use_nfs_home_dirs is on and I can > >> log in via SSH or the console, but the graphical login fails when > >> clicking "log in" with the following selinux error: > >> > >> SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" > >> access on Homes. > >> > >> I've attached the full sealart, am I missing something > >> obvious/simple? > >> > > > > FWIW, I had something similar with gdm-greeter, I think. I also had > > a different problem[1] with gdm so I didn't give it much attention > > at the time. > > > > -- Jeroen > > > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=530041 > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list@... > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > I need to see the AVC in /var/log/audit/audit.log to make sure I know > the reason. > > Make sure the use_nfs_home_dirs boolean is turned on. > Yes, it is. Upon further investigation, it appears gdm is just crashing - I'll look into related bug reports. The selinux alert may be for something else, I'll post the audit.log next time I catch it. -Tim -- CAPS LOCK IS THE CRUISE CONTROL OF AWESOMNESS -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
|
|
Re: F12 beta, ldap authentication and NFS mounted home
by Tim Fenn
::
Rate this Message:
On Thu, 22 Oct 2009 08:28:04 -0400
Daniel J Walsh <dwalsh@...> wrote: > On 10/22/2009 02:16 AM, Jeroen van Meeuwen wrote: > > On 10/22/2009 02:04 AM, Tim Fenn wrote: > >> I upgraded a machine from F10 to F12 beta - its a client machine > >> that mounts /home over NFS and authenticates over LDAP (however, > >> its a mac server that sets /home as /Volumes/Homes, which I have > >> set up as a pointer to /home). use_nfs_home_dirs is on and I can > >> log in via SSH or the console, but the graphical login fails when > >> clicking "log in" with the following selinux error: > >> > >> SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" > >> access on Homes. > >> > >> I've attached the full sealart, am I missing something > >> obvious/simple? > >> > > > > FWIW, I had something similar with gdm-greeter, I think. I also had > > a different problem[1] with gdm so I didn't give it much attention > > at the time. > > > I need to see the AVC in /var/log/audit/audit.log to make sure I know > the reason. > been busy with all these new operating systems this week!). Upon login, I get the audit_1.log (see attached), and upon firing up startx, I get audit_2.log - it seems the link to /home is whats causing the problem, audit2allow suggests allow local_login_t default_t:lnk_file read; allow consolekit_t default_t:lnk_file read; but I'm not sure thats the "proper" solution - would it be better to set /Volumes/Homes as the NFS mount and /home as a pointer to it? -Tim -- CAPS LOCK IS THE CRUISE CONTROL OF AWESOMNESS type=USER_AUTH msg=audit(1256337847.406:24021): user pid=1702 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="fenn" exe="/bin/login" hostname=? addr=? terminal=tty3 res=success' type=USER_ACCT msg=audit(1256337847.512:24022): user pid=1702 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="fenn" exe="/bin/login" hostname=? addr=? terminal=tty3 res=success' type=LOGIN msg=audit(1256337847.528:24023): login pid=1702 uid=0 old auid=4294967295 new auid=1029 old ses=4294967295 new ses=3 type=USER_ROLE_CHANGE msg=audit(1256337847.640:24024): user pid=1702 uid=0 auid=1029 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023: exe="/bin/login" hostname=? addr=? terminal=tty3 res=success' type=USER_START msg=audit(1256337848.080:24025): user pid=1702 uid=0 auid=1029 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="fenn" exe="/bin/login" hostname=? addr=? terminal=tty3 res=success' type=AVC msg=audit(1256337848.085:24026): avc: denied { read } for pid=1702 comm="login" name="Homes" dev=dm-0 ino=218 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1256337848.085:24026): arch=c000003e syscall=4 success=no exit=-13 a0=18a7b00 a1=7fff9b0e1060 a2=7fff9b0e1060 a3=0 items=0 ppid=1 pid=1702 auid=1029 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty3 ses=3 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) type=CRED_ACQ msg=audit(1256337848.199:24027): user pid=1702 uid=0 auid=1029 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="fenn" exe="/bin/login" hostname=? addr=? terminal=tty3 res=success' type=AVC msg=audit(1256337848.200:24028): avc: denied { read } for pid=1702 comm="login" name="Homes" dev=dm-0 ino=218 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1256337848.200:24028): arch=c000003e syscall=2 success=no exit=-13 a0=7fff9b0e2950 a1=0 a2=0 a3=7fff9b0e1360 items=0 ppid=1 pid=1702 auid=1029 uid=0 gid=0 euid=1029 suid=1029 fsuid=1029 egid=20 sgid=20 fsgid=20 tty=tty3 ses=3 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) type=USER_LOGIN msg=audit(1256337848.204:24029): user pid=1702 uid=0 auid=1029 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=login id=1029 exe="/bin/login" hostname=? addr=? terminal=tty3 res=success' type=AVC msg=audit(1256337848.218:24030): avc: denied { read } for pid=2066 comm="login" name="Homes" dev=dm-0 ino=218 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1256337848.218:24030): arch=c000003e syscall=80 success=no exit=-13 a0=180fe80 a1=0 a2=0 a3=7fff9b0e1370 items=0 ppid=1702 pid=2066 auid=1029 uid=1029 gid=20 euid=1029 suid=1029 fsuid=1029 egid=20 sgid=20 fsgid=20 tty=tty3 ses=3 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1256337974.899:24031): avc: denied { read } for pid=2205 comm="ck-get-x11-serv" name="Homes" dev=dm-0 ino=218 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1256337974.899:24031): arch=c000003e syscall=21 success=no exit=-13 a0=7fff63c7ef54 a1=4 a2=3 a3=7fff63c7ce80 items=0 ppid=2204 pid=2205 auid=4294967295 uid=1029 gid=20 euid=1029 suid=1029 fsuid=1029 egid=20 sgid=20 fsgid=20 tty=(none) ses=4294967295 comm="ck-get-x11-serv" exe="/usr/libexec/ck-get-x11-server-pid" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null) -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
|
|
Re: F12 beta, ldap authentication and NFS mounted home
by Daniel J Walsh
::
Rate this Message:
On 10/23/2009 07:08 PM, Tim Fenn wrote:
> On Thu, 22 Oct 2009 08:28:04 -0400 > Daniel J Walsh <dwalsh@...> wrote: > >> On 10/22/2009 02:16 AM, Jeroen van Meeuwen wrote: >>> On 10/22/2009 02:04 AM, Tim Fenn wrote: >>>> I upgraded a machine from F10 to F12 beta - its a client machine >>>> that mounts /home over NFS and authenticates over LDAP (however, >>>> its a mac server that sets /home as /Volumes/Homes, which I have >>>> set up as a pointer to /home). use_nfs_home_dirs is on and I can >>>> log in via SSH or the console, but the graphical login fails when >>>> clicking "log in" with the following selinux error: >>>> >>>> SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" >>>> access on Homes. >>>> >>>> I've attached the full sealart, am I missing something >>>> obvious/simple? >>>> >>> >>> FWIW, I had something similar with gdm-greeter, I think. I also had >>> a different problem[1] with gdm so I didn't give it much attention >>> at the time. >>> >> I need to see the AVC in /var/log/audit/audit.log to make sure I know >> the reason. >> > > OK, I spent a bit more time on this today (sorry for the late response, > been busy with all these new operating systems this week!). Upon > login, I get the audit_1.log (see attached), and upon firing up startx, > I get audit_2.log - it seems the link to /home is whats causing the > problem, audit2allow suggests > > allow local_login_t default_t:lnk_file read; > allow consolekit_t default_t:lnk_file read; > > but I'm not sure thats the "proper" solution - would it be better to > set /Volumes/Homes as the NFS mount and /home as a pointer to it? > > -Tim > The problem looks like you have a users home directories in a separate location. And it is not labeled correctly. The symbolic link is labeled with the default label, and the login programs are not able ro read this link. You probably need to label it something like user_home_dir_t. Homes is the link. Is /volume/homes a sumbolic link to /home? Are the users home dirs local or on a nother machine mounted via nfs? -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
|
|
Re: F12 beta, ldap authentication and NFS mounted home
by Tim Fenn
::
Rate this Message:
On Sat, 24 Oct 2009 07:58:47 -0400 Daniel J Walsh <dwalsh@...>
wrote: > On 10/23/2009 07:08 PM, Tim Fenn wrote: > > On Thu, 22 Oct 2009 08:28:04 -0400 > > Daniel J Walsh <dwalsh@...> wrote: > > > >> On 10/22/2009 02:16 AM, Jeroen van Meeuwen wrote: > >>> On 10/22/2009 02:04 AM, Tim Fenn wrote: > >>>> I upgraded a machine from F10 to F12 beta - its a client machine > >>>> that mounts /home over NFS and authenticates over LDAP (however, > >>>> its a mac server that sets /home as /Volumes/Homes, which I have > >>>> set up as a pointer to /home). use_nfs_home_dirs is on and I can > >>>> log in via SSH or the console, but the graphical login fails when > >>>> clicking "log in" with the following selinux error: > >>>> > >>>> SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" > >>>> access on Homes. > >>>> > >>>> I've attached the full sealart, am I missing something > >>>> obvious/simple? > >>>> > >>> > >>> FWIW, I had something similar with gdm-greeter, I think. I also > >>> had a different problem[1] with gdm so I didn't give it much > >>> attention at the time. > >>> > >> I need to see the AVC in /var/log/audit/audit.log to make sure I > >> know the reason. > >> > > > > OK, I spent a bit more time on this today (sorry for the late > > response, been busy with all these new operating systems this > > week!). Upon login, I get the audit_1.log (see attached), and upon > > firing up startx, I get audit_2.log - it seems the link to /home is > > whats causing the problem, audit2allow suggests > > > > allow local_login_t default_t:lnk_file read; > > allow consolekit_t default_t:lnk_file read; > > > > but I'm not sure thats the "proper" solution - would it be better to > > set /Volumes/Homes as the NFS mount and /home as a pointer to it? > > > > -Tim > > > Looks like a labeling problem. > > The problem looks like you have a users home directories in a > separate location. And it is not labeled correctly. > > The symbolic link is labeled with the default label, and the login > programs are not able ro read this link. > > You probably need to label it something like user_home_dir_t. > > Homes is the link. > > Is /volume/homes a sumbolic link to /home? > > Are the users home dirs local or on a nother machine mounted via nfs? > /home was the NFS mount, /volumes/homes was the symbolic link to it. If I do the opposite (/volumes/homes as the NFS mount, /home as a link to /volumes/homes), I don't see any selinux avc errors. I'll leave it at that for now, but let me know if you'd like additional information or try out anything to further debug/test things. -tim -- CAPS LOCK IS THE CRUISE CONTROL OF AWESOMNESS -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
| Free embeddable forum powered by Nabble | Forum Help |
