Bug 430195

Summary: mis-labeled /var/lib caused by passwd shell
Product: [Fedora] Fedora Reporter: David Highley <david.m.highley>
Component: libsemanageAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: 8Keywords: Reopened
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-02-02 16:53:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 430192, 430194    
Attachments:
Description Flags
audit log file none

Description David Highley 2008-01-25 04:21:41 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.0.8-76.fc8

How reproducible:


Steps to Reproduce:
1.Login and audio control is disabled.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2008-01-25 14:50:48 UTC 
What avc messages are you seeing in /var/log/audit/audit.log?
Comment 2 David Highley 2008-01-26 04:51:44 UTC 
Created attachment 293039 [details]
audit log file

I was not able to figure out what was being block related to the Gnome audio
control. But in looking through the log it looks like there were other issues;
ntpd and hal were also being blocked. Blocking hal may have caused the audio
control issue. I can also supply the /var/log/messages file if that will help.
Comment 3 Daniel Walsh 2008-01-28 19:57:47 UTC 
Looks like you have a labeling problem here also.

You can relabel this entire machine by executing

touch /.autorelabel; reboot
Comment 4 David Highley 2008-01-29 04:17:31 UTC 
But I did do a touch of /.autorelabel before reboot. Which brings up a point.
How does the labeling keep getting screwed up?
Comment 5 Daniel Walsh 2008-01-29 14:32:40 UTC 
I have no idea.  Do you have /var/lib as a symbolic link into  a /home
directory?  Or do you have an entry in passwd file with a homedir in /var/lib?
Comment 6 David Highley 2008-01-29 14:48:23 UTC 
No, /var/lib is not a symbolic link. Yes there are the following passwd file
entries with /var/lib as there home directory:
rpm:x:37:37:RPM user:/var/lib/rpm:/sbin/nologin
hsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
backuppc:x:495:491::/var/lib/BackupPC:/usr/bin/nologin
clamav:x:493:487:Clamav database update user:/var/lib/clamav:/sbin/nologin
mythtv:x:1004:1004::/var/lib/mythtv:/bin/bash
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
Comment 7 Daniel Walsh 2008-01-29 14:58:06 UTC 
mythtv:x:1004:1004::/var/lib/mythtv:/bin/bash

is causing the problem.

Change its shell to /sbin/nologin
Then run

# semodule -B
# restorecon -R -v /var/lib

This should fix the labeling.

semodule is trying to figure out where real home directories are located, and
then labeling them correctly.  This homedir is causing a problem since it sets
the labeling on /var/lib to be a homedir.  The tool should have cought this and
printed an error.  This is a regression and I will look into it.

The tools figure out what is a real homedir by looking at the UID < 500 or a
invalid login shell.
Comment 8 David Highley 2008-01-29 15:14:34 UTC 
Dan, I did another touch /.autorelabel and reboot but still get messed up
labels. The issue seems to be tied to the passwd file entries above. As you can
see I did not chose the location for the home directories. Many daemons launched
as root now use the passwd file to determine what user to run as. They have a
home directory which many never use which could be /dev/null. Others like msql
and clamav do use there home directories. This get back to one of the long
standing issues. Where are home directories physically located are they a normal
user home directory or a service daemon home directory, how and what to label.
Comment 9 David Highley 2008-01-29 15:18:34 UTC 
Dan, I will try the other steps tonight of:
# semodule -B
# restorecon -R -v /var/lib

If you look at bug report 430194 it seems to be the same issue involving
setroubleshoot with /var/lib/rpm/Packages.
Comment 10 Daniel Walsh 2008-01-29 15:44:57 UTC 
Yes any service that uses a homedir but has a UID < 500 will be ignored.  The
problem is services with UID > 512 and a login shell.  So if you change their
login shells to /sbin/nologin or /bin/false.  SELinux will setup the correct
labeling.
Comment 11 David Highley 2008-01-30 15:21:13 UTC 
Changing the shell and relabeling has fixed most issues. I did do a touch of
/.autorelabel as the home directories got mislabeled by doing the above steps.
There is another label issue and setroubleshoot does not suggest a fix for it. I
created the directories /export/home where the real home directory storage get
mounted at boot time. They are currently labeled default_t which seems to be an
issue. What is the fix for this one?
Comment 12 Daniel Walsh 2008-01-31 16:52:01 UTC 
# semanage fcontext -a -t home_root_t /export
# restorecon /export

Should fix it.
Comment 13 David Highley 2008-02-02 16:53:39 UTC 
It did fix it. Solving one label/context issue just seems to lead to the next one.