Bug 2022658

Summary: shadow-utils-4.9-5.fc35 broke copying files from /etc/skel using gnome-control-center
Product: [Fedora] Fedora Reporter: Kamil Páral <kparal>
Component: shadow-utilsAssignee: Iker Pedrosa <ipedrosa>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 35CC: bojan, dwalsh, grepl.miroslav, ipedrosa, lvrabec, mmalik, omosnace, pkoncity, pvrabec, tm, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: shadow-utils-4.9-7.fc35 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-15 05:47:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
journal none

Description Kamil Páral 2021-11-12 10:14:15 UTC 
Description of problem:
Since shadow-utils-4.9-5.fc35, new users created through gnome-control-center are missing files that should've been copied from /etc/skel. That means they don't have .bashrc and similar, i.e. no PS1 variable etc. Users created through adduser are fine. shadow-utils-4.9-4.fc35 worked OK even with gnome-control-center, it's -5 that broke it.

With shadow-utils-4.9-4.fc35, a newly created user through gnome-control-center contains:

# tree -a /home/tester
/home/tester
├── .bash_logout
├── .bash_profile
├── .bashrc
└── .mozilla
    ├── extensions
    └── plugins

With shadow-utils-4.9-5.fc35 (or -6), a newly created user through gnome-control-center contains:

# tree -a /home/tester
/home/tester
└── .mozilla

Current contents of /etc/skel:

# tree -a /etc/skel
/etc/skel
├── .bash_logout
├── .bash_profile
├── .bashrc
└── .mozilla
    ├── extensions
    └── plugins


Can you please consider this as a bug with the utmost priority? Currently this is broken for all Fedora users, because shadow-utils-4.9-5.fc35 is already in stable updates. That means everyone who creates a new users gets it with a broken (incomplete) profile, and it will not fix itself after this bug is resolved. So we need to push the fix to stable updates ASAP, so that as few users as possible are affected. Thanks!


Version-Release number of selected component (if applicable):
gnome-control-center-41.1-1.fc35.x86_64

working:
shadow-utils-4.9-3.fc35
shadow-utils-4.9-4.fc35

broken:
shadow-utils-4.9-5.fc35
shadow-utils-4.9-6.fc35

How reproducible:
always

Steps to Reproduce:
1. open gnome-control-center -> Users
2. create a new standard user "tester"
3. sudo ls -a /home/tester

Actual results:
most files from /etc/skel are missing

Expected results:
all files from /etc/skel are present
Comment 1 Iker Pedrosa 2021-11-12 10:27:17 UTC 
I'm working on it. If you could provide the logs from /var/log/messages and /var/log/secure that would be really helpful.
Comment 2 Kamil Páral 2021-11-12 10:56:45 UTC 
Created attachment 1841420 [details]
journal

There is no /var/log/{messages,secure}. I'm attaching `journalctl -b` output instead.
Comment 3 Kamil Páral 2021-11-12 10:58:19 UTC 
$ grep tester journal.txt 
Nov 12 11:53:20 f35 accounts-daemon[696]: request by system-bus-name::1.145 [gnome-control-center pid:2528 uid:1000]: create user 'tester'
Nov 12 11:53:20 f35 useradd[2637]: new group: name=tester, GID=1001
Nov 12 11:53:20 f35 audit[2637]: ADD_GROUP pid=2637 uid=0 auid=1000 ses=4 subj=system_u:system_r:useradd_t:s0 msg='op=add-group acct="tester" exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success'
Nov 12 11:53:20 f35 useradd[2637]: new user: name=tester, UID=1001, GID=1001, home=/home/tester, shell=/bin/bash, from=none
Nov 12 11:53:20 f35 audit[2637]: ADD_USER pid=2637 uid=0 auid=1000 ses=4 subj=system_u:system_r:useradd_t:s0 msg='op=add-user acct="tester" exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success'
Nov 12 11:53:20 f35 accounts-daemon[2637]: useradd: setting attribute security.selinux for /home/tester/.mozilla: Permission denied
Nov 12 11:53:20 f35 accounts-daemon[696]: request by system-bus-name::1.145 [gnome-control-center pid:2528 uid:1000]: change password mode of user 'tester' (1001) to 1
Nov 12 11:53:20 f35 accounts-daemon[2652]: Removing password for user tester.
Nov 12 11:53:20 f35 chage[2653]: changed password expiry for tester
Comment 4 Kamil Páral 2021-11-12 11:27:54 UTC 
This problem doesn't occur when SELinux is changed to Permissive mode, even with latest shadow-utils. So this seems clearly SELinux-related. From the journal:

$ grep -i avc journal.txt 
Nov 12 11:53:20 f35 audit[2640]: AVC avc:  denied  { setgid } for  pid=2640 comm="sss_cache" capability=6  scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=capability permissive=0
Nov 12 11:53:20 f35 audit[2640]: AVC avc:  denied  { setgid } for  pid=2640 comm="sss_cache" capability=6  scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=capability permissive=0
Nov 12 11:53:20 f35 audit[2643]: AVC avc:  denied  { setgid } for  pid=2643 comm="sss_cache" capability=6  scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=capability permissive=0
Nov 12 11:53:20 f35 audit[2643]: AVC avc:  denied  { setgid } for  pid=2643 comm="sss_cache" capability=6  scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=capability permissive=0
Nov 12 11:53:20 f35 audit[2637]: AVC avc:  denied  { relabelto } for  pid=2637 comm="useradd" name=".mozilla" dev="vda2" ino=986 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Comment 5 Iker Pedrosa 2021-11-12 11:30:59 UTC 
When I try to add the user using gnome the home directory is empty and I get the following error in /var/log/messages:
Nov 12 11:33:17 fedora audit[10205]: AVC avc:  denied  { relabelto } for  pid=10205 comm="useradd" name=".mozilla" dev="sda2" ino=9136 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Nov 12 11:33:17 fedora accounts-daemon[10205]: useradd: setting attribute security.selinux for /home/testuser2/.mozilla: Permission denied

If I do the same with the useradd command the user is created correctly and I don't see an empty home directory.

Changing the component to selinux-policy.
Comment 6 Iker Pedrosa 2021-11-12 12:28:07 UTC 
My bad, this definitely belongs to shadow-utils.
Comment 7 Fedora Update System 2021-11-12 16:14:12 UTC 
FEDORA-2021-2709419aea has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-2709419aea
Comment 8 Fedora Update System 2021-11-14 02:39:56 UTC 
FEDORA-2021-2709419aea has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-2709419aea`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-2709419aea

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2021-11-15 05:47:28 UTC 
FEDORA-2021-2709419aea has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 10 Kamil Páral 2021-12-13 13:10:25 UTC 
Thanks, I verified that this is fixed now.