Bug 621365

Summary: oddjob-mkhomedir does not create homedir w/ NIS password
Product: Red Hat Enterprise Linux 6 Reporter: Rik van Riel <riel>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: low    
Version: 6.0CC: borgan, dwalsh, mmalik, nalin, syeghiay
Target Milestone: rcKeywords: RHELNAK
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-36.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-10 21:36:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 625455    
Bug Blocks:    

Description Rik van Riel 2010-08-04 20:38:19 UTC
Description of problem:

I selected "create new home directory on login" for a virtual test machine. I use this together with NIS passwords here at home.

On logging in, no home directory gets created, and I find the following oddjob-mkhomedir error message in /var/log/messages:

Aug  4 16:28:29 doriath oddjob-mkhomedir[2062]: could not look up location of home directory for riel

# ypcat passwd
riel:<snip>:500:500:Rik van Riel:/home/riel:/bin/bash

Version-Release number of selected component (if applicable):

oddjob-mkhomedir-0.30-1.el6.x86_64

Steps to Reproduce:
1. install RHEL6
2. select NIS passwords
3. select "create new home directory on login"
4. try to log in
  
Actual results:

No home directory is created.

Expected results:

Home directory is created.

Comment 1 Rik van Riel 2010-08-04 20:39:56 UTC
# ypmatch riel passwd
riel:<snip>:500:500:Rik van Riel:/home/riel:/bin/bash

Comment 3 Nalin Dahyabhai 2010-08-04 20:56:23 UTC
A privileged NIS client is expected to issue requests from a source port below
1024 as a way of letting an NIS server know that it's privileged.  This can be
used for access control at the server.

Dan, based on our out-of-band conversation, I think we need to be letting
confined processes which are allowed to be NIS clients bind to ports in this
range (and connect to them, as that's usually where the servers are).

For reference, the dontaudit denials I get when I turn on logging for them:

type=AVC msg=audit(1280954860.258:50): avc:  denied  { name_connect } for 
pid=7464 comm="mkhomedir" dest=700
scontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket

type=AVC msg=audit(1280954860.255:49): avc:  denied  { name_bind } for 
pid=7464 comm="mkhomedir" src=856
scontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket

Comment 4 Nalin Dahyabhai 2010-08-04 21:05:42 UTC
Just to avoid misunderstandings, NIS can use either UDP or TCP, so I think we need to allow this for both UDP and TCP.

Comment 5 RHEL Program Management 2010-08-04 21:07:36 UTC
This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **

Comment 6 Rik van Riel 2010-08-04 21:37:44 UTC
I have confirmed that this is indeed an selinux problem.

Running "setenforce 0" and then logging in causes my home directory to be created.

Comment 7 Daniel Walsh 2010-08-05 19:15:12 UTC
Miroslav grab the `nis_use_ypbind_uncond' from rawhide.

Comment 8 Miroslav Grepl 2010-08-06 13:15:36 UTC
Fixed in selinux-policy-3.7.19-36.el6.noarch.

Comment 12 releng-rhel@redhat.com 2010-11-10 21:36:00 UTC
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.