| Summary: | Confined users cannot run oddjob mkhomedirfor script | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Dustin C. Hatch <rhbz> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.2 | CC: | lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-81.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 02:40:35 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Thank you for testing. # rpm -qa selinux\* selinux-policy-mls-3.13.1-102.el7.noarch selinux-policy-3.13.1-102.el7.noarch selinux-policy-targeted-3.13.1-102.el7.noarch # sesearch -s sysadm_t -t oddjob_t -c dbus -p send_msg -A -C /etc/selinux/mls/policy/policy.30 Found 1 semantic av rules: allow sysadm_t oddjob_t : dbus send_msg ; # sesearch -t sysadm_t -s oddjob_t -c dbus -p send_msg -A -C /etc/selinux/mls/policy/policy.30 Found 1 semantic av rules: allow oddjob_t sysadm_t : dbus send_msg ; # id -Z root:sysadm_r:sysadm_t:s0 # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mls Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: denied Max kernel policy version: 28 # ls -l /home total 0 # sh /usr/share/doc/oddjob-mkhomedir-0.31.5/mkhomedirfor jenkins method return sender=:1.33 -> dest=:1.35 reply_serial=2 int32 0 string "Creating home directory for jenkins." string "" # ls -l /home total 0 drwx------. 2 jenkins jenkins 62 Oct 26 13:05 jenkins # Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |
Description of problem: The `mkhomedirfor` script shipped with oddjob-mkhomedir, used for manually creating a home directory via oddjob-mkhomedir, cannot be run by confined users (e.g. when the *mls* policy is in use). Version-Release number of selected component (if applicable): selinux-policy-mls-3.13.1-60.el7.noarch Steps to Reproduce: 1. Enable mls SELinux policy 2. Add a user without creating a home directory (or use e.g. LDAP) 3. Run mkhomedirfor <username> Actual results: $ sudo sh /usr/share/doc/oddjob-mkhomedir-0.31.5/mkhomedirfor jenkins Error org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.374" (uid=0 pid=14464 comm="dbus-send --system --dest=com.redhat.oddjob_mkhome") interface="com.redhat.oddjob_mkhomedir" member="mkhomedirfor" error name="(unset)" requested_reply="0" destination="com.redhat.oddjob_mkhomedir" (uid=0 pid=1254 comm="/usr/sbin/oddjobd -n -p /var/run/oddjobd.pid -t 30") Expected results: $ sudo sh /usr/share/doc/oddjob-mkhomedir-0.31.5/mkhomedirfor jenkins method return sender=:1.6 -> dest=:1.369 reply_serial=2 int32 0 string "Creating home directory for jenkins." string "" Additional info: Here is the relevant AVC denial: type=USER_AVC msg=audit(1452526423.932:92111): pid=659 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=com.redhat.oddjob_mkhomedir member=mkhomedirfor dest=com.redhat.oddjob_mkhomedir spid=14464 tpid=1254 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:oddjob_t:s0-s15:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Adding these two rules resolves the issue: allow userdomain oddjob_t:dbus send_msg; allow oddjob_t userdomain:dbus send_msg;