Bug 1113725
Summary: | MLS: pam_oddjob_mkhomedir does not work | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Miroslav Vadkerti <mvadkert> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Miroslav Vadkerti <mvadkert> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.1 | CC: | dwalsh, joniknsk, kbanerje, mgrepl, mmalik, mvadkert, pseeley |
Target Milestone: | beta | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-14.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-03-05 10:40:24 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 893599 |
Description
Miroslav Vadkerti
2014-06-26 18:44:29 UTC
Mirek, what does audit2allow say on this AVC? I have the same issue with pam_oddjob_mkhomedir: when user have first access not existing home directory via smbd: type=SYSCALL msg=audit(1409551252.780:10547): arch=c000003e syscall=2 success=yes exit=7 a0=7fff9ac2d020 a1=c1 a2=8180 a3=5f656d6f685f7265 items=2 ppid=19440 pid=31165 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkhomedir" exe="/usr/libexec/oddjob/mkhomedir" subj=system_u:system_r:smbd_t:s0 key=(null) type=USER_AVC msg=audit(1409551461.431:10567): pid=793 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=com.redhat.oddjob_mkhomedir member=mkhomedirfor dest=com.redhat.oddjob_mkhomedir spid=31294 tpid=19440 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=SYSCALL msg=audit(1409551461.433:10568): arch=c000003e syscall=191 success=yes exit=45 a0=7f8ca76f2070 a1=7f8ca59e679e a2=7f8ca76fbf20 a3=ff items=1 ppid=19440 pid=31297 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="oddjobd" exe="/usr/sbin/oddjobd" subj=system_u:system_r:oddjob_t:s0-s0:c0.c1023 key="mkhomedir" type=PATH msg=audit(1409551461.433:10568): item=0 name="/usr/libexec/oddjob/mkhomedir" inode=525091 dev=fd:04 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:oddjob_mkhomedir_exec_t:s0 objtype=NORMAL type=AVC msg=audit(1409551461.434:10569): avc: denied { transition } for pid=31297 comm="oddjobd" path="/usr/libexec/oddjob/mkhomedir" dev="dm-4" ino=525091 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:smbd_t:s0 tclass=process type=AVC msg=audit(1409551461.434:10569): avc: denied { entrypoint } for pid=31297 comm="oddjobd" path="/usr/libexec/oddjob/mkhomedir" dev="dm-4" ino=525091 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:oddjob_mkhomedir_exec_t:s0 tclass=file type=AVC msg=audit(1409551461.434:10569): avc: denied { read } for pid=31297 comm="mkhomedir" path="pipe:[389907]" dev="pipefs" ino=389907 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file type=AVC msg=audit(1409551461.434:10569): avc: denied { write } for pid=31297 comm="mkhomedir" path="pipe:[389908]" dev="pipefs" ino=389908 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1409551461.434:10569): arch=c000003e syscall=59 success=yes exit=0 a0=7f8ca76f2070 a1=7f8ca76fc570 a2=7f8ca76f2460 a3=4 items=2 ppid=19440 pid=31297 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkhomedir" exe="/usr/libexec/oddjob/mkhomedir" subj=system_u:system_r:smbd_t:s0 key="mkhomedir" type=EXECVE msg=audit(1409551461.434:10569): argc=3 a0="mkhomedir" a1="-u" a2="0077" type=PATH msg=audit(1409551461.434:10569): item=0 name="/usr/libexec/oddjob/mkhomedir" inode=525091 dev=fd:04 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:oddjob_mkhomedir_exec_t:s0 objtype=NORMAL type=AVC msg=audit(1409551461.437:10570): avc: denied { getattr } for pid=31297 comm="mkhomedir" path="pipe:[389907]" dev="pipefs" ino=389907 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1409551461.437:10570): arch=c000003e syscall=5 success=yes exit=0 a0=0 a1=7fff794f9ff0 a2=7fff794f9ff0 a3=0 items=0 ppid=19440 pid=31297 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkhomedir" exe="/usr/libexec/oddjob/mkhomedir" subj=system_u:system_r:smbd_t:s0 key=(null) type=AVC msg=audit(1409551461.443:10571): avc: denied { create } for pid=31297 comm="mkhomedir" name="username" scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir type=SYSCALL msg=audit(1409551461.443:10571): arch=c000003e syscall=83 success=yes exit=0 a0=7fff794f6f10 a1=41c0 a2=7f7ff2e23770 a3=5f656d6f685f7265 items=2 ppid=19440 pid=31297 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkhomedir" exe="/usr/libexec/oddjob/mkhomedir" subj=system_u:system_r:smbd_t:s0 key=(null) type=AVC msg=audit(1409551461.444:10572): avc: denied { create } for pid=31297 comm="mkhomedir" name=".bashrc" scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1409551461.444:10572): arch=c000003e syscall=2 success=yes exit=7 a0=7fff794f8eb0 a1=c1 a2=8180 a3=5f656d6f685f7265 items=2 ppid=19440 pid=31297 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkhomedir" exe="/usr/libexec/oddjob/mkhomedir" subj=system_u:system_r:smbd_t:s0 key=(null) #grep mkhomedir /var/log/audit/audit.log | audit2allow -M test compilation failed: test.te:26:ERROR 'syntax error' at token 'constrain' on line 26: constrain dir { create relabelfrom relabelto } ((u1 eq u2 -Fail-) or (t1=smbd_t eq TYPE_ENTRY -Fail-) ); Constraint DENIED #Constraint rule: /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from test.te #cat test.te module test 1.0; require { <------>type user_home_t; <------>type oddjob_mkhomedir_exec_t; <------>type smbd_t; <------>type oddjob_t; <------>class dbus send_msg; <------>class process transition; <------>class fifo_file { read write getattr }; <------>class file { create entrypoint }; <------>class dir create; } #============= oddjob_t ============== allow oddjob_t smbd_t:process transition; #============= smbd_t ============== allow smbd_t oddjob_mkhomedir_exec_t:file entrypoint; allow smbd_t oddjob_t:dbus send_msg; allow smbd_t oddjob_t:fifo_file { read write getattr }; #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to al #Constraint rule:. <------>constrain dir { create relabelfrom relabelto } ((u1 eq u2 -Fail-) or (t1=smbd_t eq TYPE_ENTRY -Fail-) ); Constraint #<----->Possible cause is the source user (system_u) and target user (unconfined_u) are different. allow smbd_t user_home_t:dir create; #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to al #Constraint rule:. <------>constrain file { create relabelfrom relabelto } ((u1 eq u2 -Fail-) or (t1=smbd_t eq TYPE_ENTRY -Fail-) ); Constrain #<----->Possible cause is the source user (system_u) and target user (unconfined_u) are different. allow smbd_t user_home_t:file create; When user try first login via ssh, the home directory creates successful. selinux-policy-3.12.1-153.el7_0.10.noarch samba-4.1.1-37.el7_0.x86_64 oddjob-0.31.5-3.el7.x86_64 oddjob-mkhomedir-0.31.5-3.el7.x86_64 Workaround this issue for me: # semanage permissive -a smbd_t oddjob_t I see the following avc when trying to ssh as a user. type=AVC msg=audit(1415695001.980:413): avc: denied { entrypoint } for pid=28895 comm="sshd" path="/usr/sbin/mkhomedir_helper" dev="dm-1" ino=367524 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:oddjob_mkhomedir_exec_t:s0 tclass=file User home directory fail to be created. Eugene, could you please re-test it with $cat mypol.te policy_module(mypol,1.0) optional_policy(` dbus_system_bus_client(smbd_t) optional_policy(` oddjob_dbus_chat(smbd_t) oddjob_domtrans_mkhomedir(smbd_t) ') ') and run # make -f /usr/share/selinux/devel/Makefile mypol.pp # semodule -i mypol.pp and re-test it. Thank you. Kaushik, what does # ps -eZ |grep sshd while you are testing it? (In reply to Miroslav Grepl from comment #5) > Kaushik, > what does > > # ps -eZ |grep sshd > > while you are testing it? # ps -eZ |grep sshd system_u:system_r:sshd_t:s0-s0:c0.c1023 1004 ? 00:00:00 sshd unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 15654 ? 00:00:00 sshd Additional Info: # grep sshd /var/log/audit/audit.log | audit2allow -M mypol # cat mypol.te module mypol 1.0; require { type unconfined_t; type oddjob_mkhomedir_exec_t; class file entrypoint; } #============= unconfined_t ============== allow unconfined_t oddjob_mkhomedir_exec_t:file entrypoint; (In reply to Miroslav Grepl from comment #1) > Mirek, > what does audit2allow say on this AVC? Unfortunately a constrain violation :( See the same for staff_u and user_u: # ausearch -ts recent -m avc -sv no | grep oddjob | audit2allow #============= oddjob_mkhomedir_t ============== #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. #Constraint rule: mlsconstrain dir { create } ((l1 eq l2 -Pass-) or (t1=oddjob_mkhomedir_t eq TYPE_ENTRY -Fail-) and (l1 domby l2 -Pass-) or (t1=oddjob_mkhomedir_t eq TYPE_ENTRY -Fail-) and (l1 dom l2 -Pass-) or (t1=oddjob_mkhomedir_t eq TYPE_ENTRY -Fail-) and (l1 incomp l2 -Fail-) and (l1 eq h2 -Fail-) or (t1=oddjob_mkhomedir_t eq TYPE_ENTRY -Fail-) and (l1 domby h2 -Pass-) or (t1=oddjob_mkhomedir_t eq TYPE_ENTRY -Fail-) and (l1 dom h2 -Fail-) or (t1=oddjob_mkhomedir_t eq TYPE_ENTRY -Fail-) and (l1 incomp h2 -Fail-) ); Constraint DENIED # Possible cause is the source user (system_u) and target user (user_u) are different. allow oddjob_mkhomedir_t user_home_dir_t:dir create; Mirek, how about with mls_file_upgrade(oddjob_mkhomedir_t) (In reply to Miroslav Grepl from comment #4) > Eugene, > could you please re-test it with > > $cat mypol.te > and run > > # make -f /usr/share/selinux/devel/Makefile mypol.pp > # semodule -i mypol.pp > Miroslav, sorry for delaying. I disable workaround # semanage permissive -d smbd_t # semanage permissive -d oddjob_t Try to compile mypol.te # make -f /usr/share/selinux/devel/Makefile mypol.pp Compiling targeted mypol module /usr/bin/checkmodule: loading policy configuration from tmp/mypol.tmp mypol.te":3:ERROR 'unknown type smbd_t' at token ';' on line 3208: #line 3 allow smbd_t { system_dbusd_t self }:dbus send_msg; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/mypol.mod] Error 1 Success compile after adding to mypol: require { type smbd_t; } I test both sshd and smbd, and auto-create homedir is works fine! I apologize. Yes. require { type smbd_t; } was needed. Thank you for testing. Hi Miroslav, We've encountered what could be the same issue on RHEL6 running under the MLS SELinux policy. We get the same AVC: type=AVC msg=audit(1417393598.739:1228): avc: denied { create } for pid=9971 comm="mkhomedir" name="usera" scontext=system_u:system_r:oddjob_mkhomedir_t:s0-s15:c0.c1023 tcontext=user_u:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir I've traced the denial to the following MLS constraint: mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create ((( l1 eq l2 ) or (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or (( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or (( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and (( l1 eq h2 ) or (( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or (( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 )))); It's the second block of this constraint that fails. From testing we have determined that: l1 is not equal to h2 l1 is dominated by h2 So your comment 8 above does work, but giving the mlsfileupgrade attribute to oddjob_mkhomedir_t may have wider security implications. We're not exactly sure what this constraint is trying to achieve, but if the range of levels in the source and target contexts are equal, then shouldn't the create be allowed? Thanks Phil (In reply to Phil Seeley from comment #11) > Hi Miroslav, > > We've encountered what could be the same issue on RHEL6 running under the > MLS SELinux policy. We get the same AVC: > > type=AVC msg=audit(1417393598.739:1228): avc: denied { create } for > pid=9971 comm="mkhomedir" name="usera" > scontext=system_u:system_r:oddjob_mkhomedir_t:s0-s15:c0.c1023 > tcontext=user_u:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir > > I've traced the denial to the following MLS constraint: > > mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } > create > ((( l1 eq l2 ) or > (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or > (( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or > (( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and > (( l1 eq h2 ) or > (( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or > (( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or > (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 )))); > > It's the second block of this constraint that fails. From testing we have > determined that: > > l1 is not equal to h2 > l1 is dominated by h2 > > So your comment 8 above does work, but giving the mlsfileupgrade attribute > to oddjob_mkhomedir_t may have wider security implications. > > We're not exactly sure what this constraint is trying to achieve, but if the > range of levels in the source and target contexts are equal, then shouldn't > the create be allowed? The point is you want to have an object created with a level to be equal low sensitivity label of a subject by default (in most cases to have SystemLow for these objects). > Thanks > > Phil (In reply to Miroslav Grepl from comment #12) > > We're not exactly sure what this constraint is trying to achieve, but if the > > range of levels in the source and target contexts are equal, then shouldn't > > the create be allowed? > > The point is you want to have an object created with a level to be equal low > sensitivity label of a subject by default (in most cases to have SystemLow > for these objects). Thanks, that make sense. So are we saying that for an MLS system the best solution is: mls_file_upgrade(oddjob_mkhomedir_t) Yes, I believe we will need to allow it this way in this case. Dan, any comment here? I guess you would have to yes. commit f55cd5d76498e5f43fb82bcede0478eab91d874c Author: Miroslav Grepl <mgrepl> Date: Fri Dec 12 15:53:45 2014 +0100 Add additionnal MLS attribute for oddjob_mkhomedir to create homedirs. Works in MLS also. Moving to VERIFIED as fixed in selinux-policy-3.13.1-23.el7. drwx------. 2 ipastaff ipastaff 59 Feb 3 12:02 ipastaff No MLS coverage yet, but would be nice. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0458.html |