Bug 430195
Summary: | mis-labeled /var/lib caused by passwd shell | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | David Highley <david.m.highley> | ||||
Component: | libsemanage | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 8 | Keywords: | Reopened | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-02-02 16:53:52 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 430192, 430194 | ||||||
Attachments: |
|
Description
David Highley
2008-01-25 04:21:41 UTC
What avc messages are you seeing in /var/log/audit/audit.log? Created attachment 293039 [details]
audit log file
I was not able to figure out what was being block related to the Gnome audio
control. But in looking through the log it looks like there were other issues;
ntpd and hal were also being blocked. Blocking hal may have caused the audio
control issue. I can also supply the /var/log/messages file if that will help.
Looks like you have a labeling problem here also. You can relabel this entire machine by executing touch /.autorelabel; reboot But I did do a touch of /.autorelabel before reboot. Which brings up a point. How does the labeling keep getting screwed up? I have no idea. Do you have /var/lib as a symbolic link into a /home directory? Or do you have an entry in passwd file with a homedir in /var/lib? No, /var/lib is not a symbolic link. Yes there are the following passwd file entries with /var/lib as there home directory: rpm:x:37:37:RPM user:/var/lib/rpm:/sbin/nologin hsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin backuppc:x:495:491::/var/lib/BackupPC:/usr/bin/nologin clamav:x:493:487:Clamav database update user:/var/lib/clamav:/sbin/nologin mythtv:x:1004:1004::/var/lib/mythtv:/bin/bash rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin mythtv:x:1004:1004::/var/lib/mythtv:/bin/bash is causing the problem. Change its shell to /sbin/nologin Then run # semodule -B # restorecon -R -v /var/lib This should fix the labeling. semodule is trying to figure out where real home directories are located, and then labeling them correctly. This homedir is causing a problem since it sets the labeling on /var/lib to be a homedir. The tool should have cought this and printed an error. This is a regression and I will look into it. The tools figure out what is a real homedir by looking at the UID < 500 or a invalid login shell. Dan, I did another touch /.autorelabel and reboot but still get messed up labels. The issue seems to be tied to the passwd file entries above. As you can see I did not chose the location for the home directories. Many daemons launched as root now use the passwd file to determine what user to run as. They have a home directory which many never use which could be /dev/null. Others like msql and clamav do use there home directories. This get back to one of the long standing issues. Where are home directories physically located are they a normal user home directory or a service daemon home directory, how and what to label. Dan, I will try the other steps tonight of: # semodule -B # restorecon -R -v /var/lib If you look at bug report 430194 it seems to be the same issue involving setroubleshoot with /var/lib/rpm/Packages. Yes any service that uses a homedir but has a UID < 500 will be ignored. The problem is services with UID > 512 and a login shell. So if you change their login shells to /sbin/nologin or /bin/false. SELinux will setup the correct labeling. Changing the shell and relabeling has fixed most issues. I did do a touch of /.autorelabel as the home directories got mislabeled by doing the above steps. There is another label issue and setroubleshoot does not suggest a fix for it. I created the directories /export/home where the real home directory storage get mounted at boot time. They are currently labeled default_t which seems to be an issue. What is the fix for this one? # semanage fcontext -a -t home_root_t /export # restorecon /export Should fix it. It did fix it. Solving one label/context issue just seems to lead to the next one. |