Bug 590677

Summary: Permision denied when setting a disable_user_list
Product: Red Hat Enterprise Linux 6 Reporter: Tomas Pelka <tpelka>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: low    
Version: 6.0CC: mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-15.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-07-02 19:51:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit.log none

Description Tomas Pelka 2010-05-10 13:17:02 UTC 
Description of problem:
When I'm setting gdm's disable_user_list than always after entering root password I'll get:

Could not set value. Error was:
Failed: Could not make directory `/home/tpelka/.gconf': Permission denied

ls -l /home/tpelka/.gconf
total 12
drwx------. 30 tpelka tpelka 4096 May  6 09:17 apps
drwx------.  3 tpelka tpelka 4096 Feb  5 08:39 desktop
drwx------.  3 tpelka tpelka 4096 Feb  5 15:47 system

ls -ld /home/tpelka/.gconf
drwx------. 5 tpelka tpelka 4096 May 10 15:02 /home/tpelka/.gconf

ls -lZ /home/tpelka/.gconf
drwx------. tpelka tpelka unconfined_u:object_r:gconf_home_t:s0 apps
drwx------. tpelka tpelka unconfined_u:object_r:gconf_home_t:s0 desktop
drwx------. tpelka tpelka unconfined_u:object_r:gconf_home_t:s0 system

ls -ldZ /home/tpelka/.gconf
drwx------. tpelka tpelka unconfined_u:object_r:gconf_home_t:s0 /home/tpelka/.gconf


This seems to be not correct, after adding right root password gconf actually runs with root privileges, right?    

Version-Release number of selected component (if applicable):
gconf-editor-2.28.0-2.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Run gconf-editor
2. apps -> gdm -> simple-greeter
3. check "disable_user_list"
4. right click on it again and click "Set as Default" 
5. enter root password into dialog and press 'Enter'
  
Actual results:
Could not set value. Error was:
Failed: Could not make directory `/home/tpelka/.gconf': Permission denied

Expected results:
No error.

Additional info:
Comment 2 Ray Strode [halfline] 2010-05-10 13:35:45 UTC 
1) does booting with enforcing=0 in grub.conf on the kernel command line "fix" this?

2) is /home nfs mounted?
Comment 3 Tomas Pelka 2010-05-10 14:09:49 UTC 
(In reply to comment #2)
> 1) does booting with enforcing=0 in grub.conf on the kernel command line "fix"
> this?

Seems yes, no more error.

> 
> 2) is /home nfs mounted?    

No it is local.
Comment 4 Ray Strode [halfline] 2010-05-10 14:28:26 UTC 
Alright, probably just a hole in the selinux policy since this feature isn't used much.  Reassigning...
Comment 5 RHEL Program Management 2010-05-10 14:32:22 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 6 Daniel Walsh 2010-05-10 14:51:24 UTC 
Tomas do you have any AVC messages?
Comment 7 Daniel Walsh 2010-05-10 14:59:54 UTC 
Fixed in selinux-policy-3.7.19-15.fc13.noarch
Comment 8 Tomas Pelka 2010-05-11 07:16:11 UTC 
(In reply to comment #6)
> Tomas do you have any AVC messages?    

If you still need AVC, here it is:

type=USER_AUTH msg=audit(1273562104.807:67): user pid=4317 uid=501 auid=501 ses=1 subj=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/usr/libexec/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
type=USER_ACCT msg=audit(1273562104.809:68): user pid=4317 uid=501 auid=501 ses=1 subj=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/libexec/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1273562104.817:69): avc:  denied  { search } for  pid=4316 comm="gconf-defaults-" name="tpelka" dev=sda6 ino=6832129 scontext=system_u:system_r:gconfdefaultsm_t:s0-s0:c0.c1023 tcontext=user_u:object_r:samba_share_t:s0 tclass=dir
type=SYSCALL msg=audit(1273562104.817:69): arch=c000003e syscall=4 success=no exit=-13 a0=260f700 a1=7fffaa995bf0 a2=7fffaa995bf0 a3=1 items=0 ppid=1 pid=4316 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gconf-defaults-" exe="/usr/libexec/gconf-defaults-mechanism" subj=system_u:system_r:gconfdefaultsm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1273562104.817:70): avc:  denied  { search } for  pid=4316 comm="gconf-defaults-" name="tpelka" dev=sda6 ino=6832129 scontext=system_u:system_r:gconfdefaultsm_t:s0-s0:c0.c1023 tcontext=user_u:object_r:samba_share_t:s0 tclass=dir
type=SYSCALL msg=audit(1273562104.817:70): arch=c000003e syscall=83 success=no exit=-13 a0=260f700 a1=1c0 a2=ffffffffffffffa8 a3=7fffaa995950 items=0 ppid=1 pid=4316 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gconf-defaults-" exe="/usr/libexec/gconf-defaults-mechanism" subj=system_u:system_r:gconfdefaultsm_t:s0-s0:c0.c1023 key=(null)
Comment 9 Tomas Pelka 2010-05-11 07:18:57 UTC 
Created attachment 413055 [details]
audit.log

Because of wrong format of AVC (only cut&paste) attaching a audit log with message mentioned in c8.
Comment 10 Daniel Walsh 2010-05-11 14:45:40 UTC 
Tomas this looks like you have set the label samba_share_t in your homedir?


If you want to share your homedir via samba you need to turn on the boolean

samba_enable_home_dirs

Not set the context of the home dir to samba_share_t.
Comment 11 Tomas Pelka 2010-05-12 14:59:29 UTC 
Confirmed, fixfiles restore / fix this issue.
Comment 14 releng-rhel@redhat.com 2010-07-02 19:51:32 UTC 
Red Hat Enterprise Linux Beta 2 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.