Bug 1494108

Summary: On KDE, selinux prevents log in with newly created user
Product: [Fedora] Fedora Reporter: Lukas Brabec <lbrabec>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: dwalsh, kparal, lbrabec, lsm5, lvrabec, mgrepl, plautrba, pmoore, robatino
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedBlocker
Fixed In Version: selinux-policy-3.13.1-283.4.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-30 06:50:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1396704    
Attachments:
Description Flags
journalctl -b
none
ausearch -m AVC -ts today
none
audit.log
none
ausearch -m AVC -ts today (with chcon -t useradd_exec_t /usr/sbin/kuser)
none
audit.log (with chcon -t useradd_exec_t /usr/sbin/kuser)
none
usearch -m AVC -ts today (with chcon, restorecon before creation of test3 ) none

Description Lukas Brabec 2017-09-21 13:18:43 UTC 
Description of problem:

This happened when I was going through "QA:Testcase_desktop_login" on Fedora 27 with KDE.

I created a new user with kuser application, then I logged out and tried to login with the newly created user. Screen blinked and returned me back to login screen. Checking journal, it seems that selinux is preventing to create some dot-files in ~/ of the new user (see attached logs).

With setenforce 0, login works as expected.



Version-Release number of selected component (if applicable):

libselinux-utils-2.7-2.fc27.x86_64
selinux-policy-3.13.1-283.3.fc27.noarch
selinux-policy-targeted-3.13.1-283.3.fc27.noarch
pam-kwallet-5.10.5-1.fc27.x86_64
sddm-0.15.0-1.fc27.x86_64


Steps to Reproduce:
1. on Fedora 27 KDE, create another user with kuser
2. log out
3. try to login with the other user
Comment 1 Lukas Brabec 2017-09-21 13:19:38 UTC 
Created attachment 1329000 [details]
journalctl -b
Comment 2 Lukas Brabec 2017-09-21 13:20:15 UTC 
Created attachment 1329002 [details]
ausearch -m AVC -ts today
Comment 3 Lukas Brabec 2017-09-21 13:20:42 UTC 
Created attachment 1329003 [details]
audit.log
Comment 4 Fedora Blocker Bugs Application 2017-09-21 13:35:38 UTC 
Proposed as a Blocker for 27-beta by Fedora user lbrabec using the blocker tracking app because:

 Unable to complete step 5 of "QA:Testcase desktop login", which violates associated beta release criterion Post-install requirements - Shutdown, reboot, logout
Comment 5 Lukas Vrabec 2017-09-21 16:24:43 UTC 
Lukas, 

Could you please try following scenario: 
1. chcon -t useradd_exec_t /usr/sbin/kuser 
2. add new user like in bug description 
3. check AVCs 

Thanks,
Lukas.
Comment 6 Lukas Brabec 2017-09-21 17:08:41 UTC 
Created attachment 1329086 [details]
ausearch -m AVC -ts today (with chcon -t useradd_exec_t /usr/sbin/kuser)
Comment 7 Lukas Brabec 2017-09-21 17:09:49 UTC 
Created attachment 1329087 [details]
audit.log (with chcon -t useradd_exec_t /usr/sbin/kuser)
Comment 8 Kamil Páral 2017-09-21 18:26:14 UTC 
Discussed during blocker review [1]:

RejectedBlocker (beta) AcceptedBlocker (final) - This bug violates the final criterion: "All applications that can be launched using the standard graphical mechanism of a release-blocking desktop after a default installation of that desktop must start successfully and withstand a basic functionality test."

[1] https://meetbot-raw.fedoraproject.org/fedora-meeting-1/2017-09-21/
Comment 9 Lukas Vrabec 2017-09-21 21:29:07 UTC 
Lukas, 

What is output of:

# ls -Z /home/

If you run:

# restorecon -Rv /home/

and then try to create new user with kuser (with chcon -t useradd_exec_t /usr/sbin/kuser) are you still able to catch any AVC? 

Thanks,
Lukas.
Comment 10 Lukas Brabec 2017-09-21 21:45:34 UTC 
# ls -Z /home/
unconfined_u:object_r:user_home_dir_t:s0 ejohn
unconfined_u:object_r:home_root_t:s0 test2
unconfined_u:object_r:home_root_t:s0 test1

after:
# restorecon -Rv /home/
I'm able to login with previously created users, but with other new users I encounter the same problem.
Comment 11 Lukas Brabec 2017-09-21 21:49:17 UTC 
Created attachment 1329218 [details]
usearch -m AVC -ts today (with chcon, restorecon before creation of test3 )
Comment 12 Fedora Update System 2017-09-22 09:51:20 UTC 
selinux-policy-3.13.1-283.4.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-1fd5e1aff6
Comment 13 Lukas Brabec 2017-09-22 10:24:59 UTC 
(In reply to Fedora Update System from comment #12)
> selinux-policy-3.13.1-283.4.fc27 has been submitted as an update to Fedora
> 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-1fd5e1aff6

this fixes the bug
Comment 14 Lukas Vrabec 2017-09-22 10:26:23 UTC 
Lukas,

Thanks for testing. :)
Comment 15 Fedora Update System 2017-09-22 17:54:49 UTC 
selinux-policy-3.13.1-283.4.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-1fd5e1aff6
Comment 16 Fedora Update System 2017-09-30 06:50:32 UTC 
selinux-policy-3.13.1-283.4.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.