Bug 2069305

Summary: restorecon fails to apply to user ssh directory after creating key
Product: Red Hat Enterprise Linux 8 Reporter: Achilleas Koutsou <akoutsou>
Component: anacondaAssignee: Vladimír Slávik <vslavik>
Status: CLOSED ERRATA QA Contact: Release Test Team <release-test-team-automation>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.6CC: akoutsou, jkonecny, jstodola, pzatko, rvykydal, vslavik
Target Milestone: rcKeywords: TestCaseNeeded, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: anaconda-33.16.7.2-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2072426 (view as bug list) Environment:
Last Closed: 2022-11-08 09:17:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Achilleas Koutsou 2022-03-28 16:49:43 UTC 
Description of problem:
When creating a user with a public ssh key through kickstart, the final restorecon call has no effect, possibly because it's run against the mounted sysroot (Current RHEL 8.6 HEAD: https://github.com/rhinstaller/anaconda/blob/858d941ad2d299b4db44ee1ad99e2e2005c690e5/pyanaconda/core/users.py#L528)

This usually has no effect other than a warning in the syslog
> WARNING org.fedoraproject.Anaconda.Modules.Users:INFO:program:Warning no default label for /mnt/sysroot/home/achilleas/.ssh

However, in some cases, if the home or .ssh directory doesn't have the correct label on creation, the lack of a successful restorecon can cause issues.


How reproducible:
Always

Steps to Reproduce:

1. Create a kickstart file with a user configuration and an sshkey:
> user --name admin --password $6$GRmb7S0p8vsYmXzH$o0E020S.9JQGaHkszoog4ha4AQVs3sk8q0DvLjSMxoxHBKnB2FBXGQ/OkwZQfW/76ktHd0NX5nls2LPxPuUdl. --iscrypted --groups wheel --homedir /home/admin/
> sshkey --username admin ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0AMjiKC8UTxZWLhCxtSZLfKPumUVdHUehCsOXiae/P admin@test
2. Serve or embed the kickstart file in the iso
3. Boot the iso and modify the kernel cmdline parameters with 'inst.ks=<kickstart file location>'
4. Start and complete the installation
5. Check the syslog for the warning message

Actual results:
> WARNING org.fedoraproject.Anaconda.Modules.Users:INFO:program:Warning no default label for /mnt/sysroot/home/achilleas/.ssh
appears in the log
If the home directory is not labelled properly on creation, the home and .ssh directories have the following selinux contexts:
> unconfined_u:object_r:default_t:s0

Expected results:
The warning should not appear in the log (the restorecon should be successful).
The home directory and .ssh directories should have the following selinux contexts:
For home directory:
> unconfined_u:object_r:user_home_dir_t:s0
and for .ssh
> system_u:object_r:ssh_home_t:s0


Additional info:

In all my tests I was using installer ISOs built using osbuild/imagebuilder that install using a tarball and include the liveimg directive in the kickstart file.  I don't know if this is relevant, but I didn't include it in the steps above.

In RHEL 8.6, there is a bug in useradd of the shadow-utils package that fails to label the home directory with the proper selinux contexts if the home directory has a trailing slash (as in the example above).
This isn't an Anaconda bug, but it's an example of how the restorecon failure can cause side-effects.  After installation, the system is inaccessible through SSH, because sshd can't read the authorized_keys file for the user with the mislabelled home directory.
Comment 1 Jiri Konecny 2022-03-29 18:39:39 UTC 
We should make sure that we are running restorecon always in the chroot.
Comment 2 Vladimír Slávik 2022-03-30 10:03:24 UTC 
So, this is in set_user_ssh_key() and create_user() on rhel-8, or set_user_ssh_key() and _reown_homedir() on master. We do util.execWithRedirect("restorecon", ["-r", <something>]), which is wrong.

Looks like it was originally added with 911f99f834eb31cc2fbbcb23c2cb40d05a68c610 and the other place with 5e238e89882171e66c43be1bdc16d5a9183f585b in response to bug 1087736. Apparently nobody ever noticed that this does not work, or that it stopped working somewhere along the way. We just refactored it a few times since then...

It looks like these things run when creating users, which is after payload installation, so simply adding the sysroot parameter to the calls should be enough.
Comment 3 Vladimír Slávik 2022-03-30 13:43:08 UTC 
Upstream PR: https://github.com/rhinstaller/anaconda/pull/3993
Comment 4 Achilleas Koutsou 2022-04-04 08:37:29 UTC 
A note about RHEL 9.0:
The bug in Anaconda also exists in RHEL 9.0, the restorecon run uses the full path and not a chroot so the call has no effect.  However, the way it doesn't cause the issue I saw because useradd labels the home directory correctly.
There may be other scenarios where the failure to relabel does cause problems though.
Comment 7 Vladimír Slávik 2022-05-23 13:36:08 UTC 
https://github.com/rhinstaller/anaconda/pull/4129
Comment 12 Jan Stodola 2022-05-27 14:24:25 UTC 
Checked that anaconda-33.16.7.2-1.el8 is in nightly compose RHEL-8.7.0-20220526.1

Moving to VERIFIED
Comment 14 errata-xmlrpc 2022-11-08 09:17:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (anaconda bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7462