| Summary: | SELinux is preventing /usr/sbin/useradd from 'setattr' accesses on the file .bash_logout. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Martin <mholec> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | tpelka |
| Target Milestone: | beta | ||
| Target Release: | 7.0 | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:06da56bc7bbdc014127c677bc63e28e47743686ffadfc219244fbf86490c9809 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-10-14 12:40:44 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
*** This bug has been marked as a duplicate of bug 1018773 *** |
Description of problem: Testing Multiple Graphical Login 1. Install RHEL desktop on multiple virtual or bare metal machines. 2. Edit the /etc/dconf/profile/user file on every client. If one does not already exist, create it. 3. Add a line containing service-db:keyfile/user to the file and save your changes. 4. Setup shared /home directory via NFS on each machine. Put the following line into /etc/fstab nest.test.redhat.com:/mnt/qa/scratch/rhel7-gnome-shell-shared-home /home nfs rw 0 0 5. Create account with username "test" and password "redhat". 6. Login to Gnome. SELinux is preventing /usr/sbin/useradd from 'setattr' accesses on the file .bash_logout. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow use to nfs home dirs Then you must tell SELinux about this by enabling the 'use_nfs_home_dirs' boolean. You can read 'None' man page for more details. Do setsebool -P use_nfs_home_dirs 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that useradd should be allowed setattr access on the .bash_logout file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep useradd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 Target Context system_u:object_r:nfs_t:s0 Target Objects .bash_logout [ file ] Source useradd Source Path /usr/sbin/useradd Port <Unknown> Host (removed) Source RPM Packages shadow-utils-4.1.5.1-8.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-86.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.10.0-33.el7.x86_64 #1 SMP Fri Oct 4 11:13:14 EDT 2013 x86_64 x86_64 Alert Count 2 First Seen 2013-10-10 14:39:27 BST Last Seen 2013-10-10 14:56:53 BST Local ID 3eee59e1-11f6-4b77-8d08-d9f836f3e790 Raw Audit Messages type=AVC msg=audit(1381413413.97:529): avc: denied { setattr } for pid=2370 comm="useradd" name=".bash_logout" dev="0:35" ino=26134402 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file type=SYSCALL msg=audit(1381413413.97:529): arch=x86_64 syscall=fchown success=yes exit=0 a0=c a1=3ea a2=3ea a3=5f656d6f685f7265 items=0 ppid=1849 pid=2370 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=2 comm=useradd exe=/usr/sbin/useradd subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) Hash: useradd,useradd_t,nfs_t,file,setattr Additional info: reporter: libreport-2.1.7 hashmarkername: setroubleshoot kernel: 3.10.0-33.el7.x86_64 type: libreport