Bug 1378204

Summary: seusers contains a login for a user named "system_u"
Product: [Fedora] Fedora Reporter: Gary Tierney <gary.tierney>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: dominick.grift, dwalsh, kparal, lvrabec, mgrepl, michal.jnn, orion, plautrba, randy
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-191.20.fc24 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-10 03:30:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Gary Tierney 2016-09-21 20:05:04 UTC 
Description of problem:

In current policy there is a login named system_u mapped to the system_u SELinux user.  This seems to be have used in the past to allow daemons like cronie to get a default context for a "system" user: https://github.com/henrysher/cronie/commit/e5280235809844f54d5956ec281472b63dcfc3f4

With a recent patch submitted to genhomedircon which removes the hardcoded user identifier (and a conditional which skips homedir context generation for that login) we now see a warning:

libsemanage.add_user: user system_u not in password file

Version-Release number of selected component (if applicable):

3.13.1-191.14.fc24

How reproducible:
Steps to Reproduce:

Run genhomedircon with new patch

See http://marc.info/?t=147317021100002&r=1&w=2

Actual results:

A warning that no login exists for a user named "system_u"

Expected results:

No warnings

Additional info:
Comment 1 Fedora Admin XMLRPC Client 2016-09-27 15:09:30 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 2 Orion Poplawski 2016-10-05 21:29:35 UTC 
Still present with selinux-policy-3.13.1-218.fc26.noarch
Comment 3 Petr Lautrbach 2016-10-10 10:21:17 UTC 
*** Bug 1382880 has been marked as a duplicate of this bug. ***
Comment 4 Petr Lautrbach 2016-10-10 11:41:52 UTC 
A temporary Rawhide scratch build with remove system_u can be found here - 
http://koji.fedoraproject.org/koji/taskinfo?taskID=16027663
Comment 5 Petr Lautrbach 2016-10-10 11:56:42 UTC 
To fix it in dist-git, extract config.tgz, use the following patch and recreate the archive config.tgz.

diff -r -u config/appconfig-mcs/seusers config.fixed/appconfig-mcs/seusers
--- config/appconfig-mcs/seusers        2009-08-28 21:06:34.000000000 +0200
+++ config.fixed/appconfig-mcs/seusers  2016-10-10 13:52:22.706584896 +0200
@@ -1,3 +1,2 @@
-system_u:system_u:s0-mcs_systemhigh
 root:unconfined_u:s0-mcs_systemhigh
 __default__:unconfined_u:s0-mcs_systemhigh
diff -r -u config/appconfig-mls/seusers config.fixed/appconfig-mls/seusers
--- config/appconfig-mls/seusers        2009-08-28 20:59:08.000000000 +0200
+++ config.fixed/appconfig-mls/seusers  2016-10-10 13:52:22.812584921 +0200
@@ -1,3 +1,2 @@
-system_u:system_u:s0-mls_systemhigh
 root:root:s0-mls_systemhigh
 __default__:user_u:s0
diff -r -u config/appconfig-standard/seusers config.fixed/appconfig-standard/seusers
--- config/appconfig-standard/seusers   2009-08-28 20:59:08.000000000 +0200
+++ config.fixed/appconfig-standard/seusers     2016-10-10 13:52:22.742584905 +0200
@@ -1,3 +1,2 @@
-system_u:system_u
 root:root
 __default__:user_u
Comment 6 Petr Lautrbach 2016-10-10 13:06:29 UTC 
http://koji.fedoraproject.org/koji/taskinfo?taskID=16028136  fc25 scratch build
Comment 7 Lukas Vrabec 2016-10-10 14:43:08 UTC 
Thank you Petr for builds.
Comment 8 Petr Lautrbach 2016-10-14 08:41:16 UTC 
*** Bug 1384809 has been marked as a duplicate of this bug. ***
Comment 9 Petr Lautrbach 2016-10-16 16:29:29 UTC 
*** Bug 1385379 has been marked as a duplicate of this bug. ***
Comment 10 Fedora Update System 2016-11-04 12:12:13 UTC 
selinux-policy-3.13.1-191.20.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3
Comment 11 Fedora Update System 2016-11-05 03:36:41 UTC 
selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3
Comment 12 Fedora Update System 2016-11-10 03:30:11 UTC 
selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.