Bug 1492892
| Summary: | rpc.yppasswdd not able to update password when selinux is disabled, not using /etc/ and MERGE_PASSWD is set to true | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Eugene Keck <ekeck> | ||||
| Component: | ypserv | Assignee: | Petr Kubat <pkubat> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Vaclav Danek <vdanek> | ||||
| Severity: | high | Docs Contact: | Jaroslav Klech <jklech> | ||||
| Priority: | high | ||||||
| Version: | 7.3 | CC: | aish.pushpangadan, asakure, bill, hhorak, holger.berger, jklech, joey, kray, mmuzila, msugaya, ovasik, pkubat, sanner, trzyna, vdanek | ||||
| Target Milestone: | rc | Keywords: | Patch | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | ypserv-2.31-11.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: |
`rpc.yppasswdd` now updates passwords also with *SELinux* disabled
Previously, when the *SELinux* security module was disabled on the system, the `rpc.yppasswdd` update function failed to perform the update action. As a consequence, `rpc.yppasswdd` was unable to update the user password. With this update, `rpc.yppasswdd` checks whether *SELinux* is enabled on the system before detecting the *SELinux* context type for the `passwd` files. As a result, `rpc.yppasswdd` now correctly updates passwords in the described scenario.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-10-30 07:56:35 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1549615 | ||||||
| Attachments: |
|
||||||
|
Description
Eugene Keck
2017-09-18 22:05:04 UTC
seems to be broken with MERGE_PASSWD=false as well. there is a #ifdef check with the latest patch for SELINUX, which is always true in a normal build. I think like that you compile code that relies on enabled SElinux, calling stuff not working when SElinux is disabled at runtime. Note: This bug was introduced in ypserv-2.31-10.el7. A workaround is to replace rpc.yppasswdd with the previous version from ypserv-2.31-9.el7_3. Created attachment 1378915 [details]
proposed patch
yppasswdd was checking the selinux context of passwd and shadow files even when selinux was disabled and failed because of it. I have added a check for enabled selinux into the original patch introduced in ypserv-2.31-10 so that this failure will no longer happen. Matej, can you take a quick look at the attached patch? Hi, I'll look at it. This is still a problem as of 2018-02-22 on RHEL 7.4 and I've just had to downgrade from ypserv 2.31-10.el7 Getting this patch corrected is mission critical for us as we depend on NIS functionality for several hundred users. Please let us know on the status change on this bug as we have this same issue. Hi Petr, I'm going to add it to Fedora 28, where the new (with ipv6 support) NIS is present. Hello Petr, could you, please, check the doc_text and tell me whether it is still correct content-wise? thank you Jaroslav Looks good to me
I was able to find a work around by setting the selinux contex of yp's passwd and shadow files.
chcon -h system_u:object_r:bin_t:s0 /etc/yp/{shadow,passwd}
Note the location of my NIS files under /etc/yp, your location may vary.
This works with: MERGE_PASSWD=true, RHEL 7.5 and ypserv-2.31-10.el7.x86_64
Workaround only, bug still outstanding for ypserv-2.31-10.el7.x86_64.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3047 |