Bug 1811310
| Summary: | SE policies fail oddjob-mkhomedir when /home via autofs | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | lejeczek <peljasz> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED WONTFIX | QA Contact: | Milos Malik <mmalik> |
| Severity: | urgent | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.0 | CC: | lvrabec, mmalik, plautrba, ssekidde |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.0 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-09-07 07:27:05 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Thank you for reporting the issue. The AVC denials reported are usually dontaudited, supposedly you rebuilt selinux-policy on the system with dontaudit rules disabled. Does the same issue appear when selinux is in permissive mode? Are there any AVC denials reported different to the ones mentioned above? Yes, with -DB.
It does, actually it's weird in my opinion.
I have this:
- in /etc/auto.master.d/off-LOCALHOST.autofs
/home.foreign /etc/auto.master.d/foreign.users.home.off-LOCALHOST
I copied fcontext from /home to /home.foreign:
drwxr-xr-x. 2 root root system_u:object_r:home_root_t:s0 6 May 11 2019 /home
drwxr-xr-x. 2 root root system_u:object_r:home_root_t:s0 6 Mar 7 12:08 /home.foreign
- in /etc/auto.master.d/foreign.users.home.off-LOCALHOST
* -fstype=glusterfs,rw,acl 10.5.8.97,10.5.8.65,10.5.8.49:/FOREING-USER-HOME/&
And with permissive=1 & autofs mounted I cannot even mkdir in /home.foreign (so it's not just oddjob)
$ mount
10.5.8.97:FOREING-USER-HOME/eo2 on /home.foreign/eo2 type fuse.glusterfs (rw,relatime,user_id=0,group_id=0,allow_other,max_read=131072)
And weir part is - when I mount it under.. lets say /0-DATA/FOREIGN then the problem does not occur.
And even with -DB not much gets reported.
#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t self:capability net_admin
After having the following module in the policy already.
module oddjob-autofs 1.0;
require {
type sssd_selinux_manager_t;
type oddjob_mkhomedir_t;
type sssd_t;
type oddjob_t;
type mount_t;
type automount_t;
class process { noatsecure rlimitinh siginh };
class capability net_admin;
}
#============= automount_t ==============
#!!!! This avc is allowed in the current policy
allow automount_t mount_t:process { noatsecure rlimitinh siginh };
#!!!! This avc is allowed in the current policy
allow automount_t self:capability net_admin;
#============= oddjob_t ==============
#!!!! This avc is allowed in the current policy
allow oddjob_t oddjob_mkhomedir_t:process { noatsecure rlimitinh siginh };
#============= sssd_t ==============
#!!!! This avc is allowed in the current policy
allow sssd_t sssd_selinux_manager_t:process { noatsecure rlimitinh siginh };
Centos 7.6 with selinux-policy-3.13.1-252.el7_7.6.noarch is free from this problem. ok After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened. |
Description of problem: ... oddjob-mkhomedir[2215]: error creating /home/aeo2: Permission denied ... Above occurs when autofs mounts a gluster vol under /home $ ausearch -ts 12:10 | audit2allow #============= automount_t ============== allow automount_t mount_t:process { noatsecure rlimitinh siginh }; #============= oddjob_t ============== allow oddjob_t oddjob_mkhomedir_t:process { noatsecure rlimitinh siginh }; #============= sssd_t ============== allow sssd_t sssd_selinux_manager_t:process { noatsecure rlimitinh siginh }; And probably more. Easy to reproduce. Would be fantastic to have booleans for these! many thanks, L Version-Release number of selected component (if applicable): selinux-policy-3.14.3-20.el8.noarch How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: