| Summary: | useradd: cannot set SELinux context for home directory | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Eryu Guan <eguan> |
| Component: | shadow-utils | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.0 | CC: | bblaskov, eguan, mgrepl |
| Target Milestone: | rc | Keywords: | Reopened, SELinux |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-11-27 12:15:59 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Eryu Guan
2013-10-01 07:30:12 UTC
What AVC msgs are you getting in permissive mode? # setenforce 1
# useradd testuser
useradd: cannot create directory /home/testuser
# echo $?
12
# tail /var/log/audit/audit.log
type=ADD_GROUP msg=audit(1380792255.158:296): pid=24483 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 msg='op=adding group acct="testuser" exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=success'
type=ADD_USER msg=audit(1380792255.176:297): pid=24483 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user id=1002 exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=success'
type=ADD_USER msg=audit(1380792255.180:298): pid=24483 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 msg='op=adding home directory id=1002 exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=failed'
type=ADD_USER msg=audit(1380792255.180:299): pid=24483 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user acct="testuser" exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=failed'
# setenforce 0
# useradd testuser
# echo $?
0
# tail /var/log/audit/audit.log
type=ADD_GROUP msg=audit(1380792349.214:308): pid=24522 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 msg='op=adding group acct="testuser" exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=success'
type=ADD_USER msg=audit(1380792349.223:309): pid=24522 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user id=1002 exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=success'
type=AVC msg=audit(1380792349.228:310): avc: denied { write } for pid=24522 comm="useradd" name="/" dev="dm-2" ino=128 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1380792349.228:310): avc: denied { add_name } for pid=24522 comm="useradd" name="testuser" scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1380792349.228:310): arch=c000003e syscall=83 success=yes exit=0 a0=7f3933798f80 a1=0 a2=7f3931142778 a3=5f656d6f685f7265 items=0 ppid=3871 pid=24522 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts0 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=ADD_USER msg=audit(1380792349.234:311): pid=24522 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 msg='op=adding home directory id=1002 exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=success'
Ok, this is a labeling problem. You will need to fix labeling using restorecon and then setup correct labels for HOME_ROOT using "semanage fcontext -a -e" if you use non-standard location. Another example: # mkdir /tmp/new_home # useradd -d /tmp/new_home/tester tester useradd: cannot set SELinux context for home directory /tmp/new_home/tester # chcon --reference /home /tmp/new_home # ls -lZd /tmp/new_home/ drwxr-xr-x. root root system_u:object_r:home_root_t:s0 /tmp/new_home/ # useradd -d /tmp/new_home/tester tester useradd: cannot set SELinux context for home directory /tmp/new_home/tester BUT!!! # mkdir /tmp/new_home/tester # useradd -d /tmp/new_home/tester tester useradd: warning: the home directory already exists. Not copying any file from skel directory into it. # echo $? 0 I don't think this is correct behaviour. It's working OK on RHEL-6. Reopened. I've forgot to add (to comment #4): # rpm -qf `which useradd` shadow-utils-4.1.5.1-9.el7.x86_64 # rpm -q selinux-policy selinux-policy-3.12.1-102.el7.noarch I am not convinced this is bug in useradd. IMHO it is due to its more tightened restrictions by SELinux policy. If you create # mkdir /tmp/new_home and then setup an equivalence for this directory using semanage instead of chcon, does it work then? The correct way to do this is: semanage fcontext -a -e /home /tmp/new_home mkdir /tmp/new_home restorecon /tmp/new_home useradd -d /tmp/new_home/tester tester I verified that it works fine this way. Yes it works like Tomas mentioned in comment #8. Thank you. |