Bug 1492892

Summary: rpc.yppasswdd not able to update password when selinux is disabled, not using /etc/ and MERGE_PASSWD is set to true
Product: Red Hat Enterprise Linux 7 Reporter: Eugene Keck <ekeck>
Component: ypservAssignee: Petr Kubat <pkubat>
Status: CLOSED ERRATA QA Contact: Vaclav Danek <vdanek>
Severity: high Docs Contact: Jaroslav Klech <jklech>
Priority: high    
Version: 7.3CC: aish.pushpangadan, asakure, bill, hhorak, holger.berger, jklech, joey, kray, mmuzila, msugaya, ovasik, pkubat, sanner, trzyna, vdanek
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ypserv-2.31-11.el7 Doc Type: Bug Fix
Doc Text:
`rpc.yppasswdd` now updates passwords also with *SELinux* disabled Previously, when the *SELinux* security module was disabled on the system, the `rpc.yppasswdd` update function failed to perform the update action. As a consequence, `rpc.yppasswdd` was unable to update the user password. With this update, `rpc.yppasswdd` checks whether *SELinux* is enabled on the system before detecting the *SELinux* context type for the `passwd` files. As a result, `rpc.yppasswdd` now correctly updates passwords in the described scenario.
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 07:56:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 1549615    
Attachments:
Description Flags
proposed patch none

Description Eugene Keck 2017-09-18 22:05:04 UTC
Description of problem:
rpc.yppasswdd was not able to update the user password when selinux is disabled and passwd and shadow moved to a directory other than /etc/ and merged.

Version-Release number of selected component (if applicable):
ypserv-2.31-10.el7

How reproducible:
Always

Steps to Reproduce:
1. Disable SELinux 
2. Change the maps from /etc/ to /var/yp/files/
3. set MERGE_PASSWD=true

Actual results:
update local (uid=1000) from host 10.12.213.190 failed
Can't get selinux context /var/yp/files/passwd: No data available
Error while changing the NIS password.

Expected results:
update local (uid=1000) from host 10.12.213.190 successful.

Additional info:
If I use the default location of /etc/ or not merge passwd and shadow I was not able to reproduce this selinux check. It was only when I move them out of /etc/ and set MERGE_PASSWD to true that triggered this. This also works if I set selinux to permissive

Comment 3 Joe Pruett 2017-09-25 16:27:03 UTC
seems to be broken with MERGE_PASSWD=false as well.

Comment 4 holger.berger 2017-10-02 14:05:10 UTC
there is a #ifdef check with the latest patch for SELINUX, which is always true in a normal build. I think like that you compile code that relies on enabled SElinux, calling stuff not working when SElinux is disabled at runtime.

Comment 5 Wayne Trzyna 2017-10-06 16:47:36 UTC
Note:  This bug was introduced in ypserv-2.31-10.el7.
A workaround is to replace rpc.yppasswdd with the previous
version from ypserv-2.31-9.el7_3.

Comment 8 Petr Kubat 2018-01-09 08:07:30 UTC
Created attachment 1378915 [details]
proposed patch

Comment 9 Petr Kubat 2018-01-09 08:08:13 UTC
yppasswdd was checking the selinux context of passwd and shadow files even when selinux was disabled and failed because of it.

I have added a check for enabled selinux into the original patch introduced in ypserv-2.31-10 so that this failure will no longer happen.

Matej, can you take a quick look at the attached patch?

Comment 10 Matej Mužila 2018-01-23 11:18:39 UTC
Hi, I'll look at it.

Comment 12 Bill Kanawyer 2018-02-22 18:35:56 UTC
This is still a problem as of 2018-02-22 on RHEL 7.4 and I've just had to downgrade from ypserv 2.31-10.el7 

Getting this patch corrected is mission critical for us as we depend on NIS functionality for several hundred users.

Comment 13 Aish Pushpangadan 2018-02-27 21:25:18 UTC
Please let us know on the status change on this bug as we have this same issue.

Comment 19 Matej Mužila 2018-05-09 09:38:13 UTC
Hi Petr,

I'm going to add it to Fedora 28, where the new (with ipv6 support) NIS is present.

Comment 20 Jaroslav Klech 2018-05-24 09:52:25 UTC
Hello Petr,

could you, please, check the doc_text and tell me whether it is still correct content-wise?

thank you

Jaroslav

Comment 21 Petr Kubat 2018-05-24 10:09:12 UTC
Looks good to me

Comment 22 David Sanner 2018-06-20 18:57:23 UTC
I was able to find a work around by setting the selinux contex of yp's passwd and shadow files.

chcon -h system_u:object_r:bin_t:s0  /etc/yp/{shadow,passwd}

Note the location of my NIS files under /etc/yp, your location may vary.

This works with: MERGE_PASSWD=true, RHEL 7.5 and ypserv-2.31-10.el7.x86_64

Workaround only, bug still outstanding for ypserv-2.31-10.el7.x86_64.

Comment 26 errata-xmlrpc 2018-10-30 07:56:35 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3047