Bug 681663

Summary: /selinux not mounted in %post
Product: [Fedora] Fedora Reporter: Patrick C. F. Ernzer <pcfe>
Component: anacondaAssignee: Anaconda Maintenance Team <anaconda-maint-list>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: anaconda-maint-list, dwalsh, jonathan, mgrepl, vanmeeuwen+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-08 20:06:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 494832    

Description Patrick C. F. Ernzer 2011-03-02 21:12:57 UTC 
Description of problem:
normally, in kickstart, I passwd -d and chage (and also chfn) a user to force new password on first login after installation without the user having to know what password I set in kickstart.

anaconda 15.20.1 and selinux-policy-3.9.14-2.fc15 do not allow me to passwd -d (and chfn) any longer.

Version-Release number of selected component (if applicable):
selinux-policy-3.9.14-2.fc15

How reproducible:
always

Steps to Reproduce:
1. install via kickstart with selinux --enforcing
2. have all the following in the kickstart
[...]
# create a user
user --name=user --password=geheim
[...]
%post
(
#
# set a full name
chfn -f 'test user' user
#
# set empty password
passwd -d user
#
# force password change
chage -d 0 user
# the two steps above of course only make sense if you install in a trusted
network
# and then log in once to set password BEFORE you put the machine in an
untrusted network.
# If you can not do this, set a decent password higher up in this file and
disable the -d step
[...]
) 1>/root/post.out 2>/root/post.err

%end
  
Actual results:
user password neither empty nor full name set.

[root@guest4 ~]# cat post.err 
chfn: chfn: system_u:system_r:rpm_script_t:s0 is not authorized to change the finger info of user
passwd: system_u:system_r:rpm_script_t:s0 is not authorized to change the password of user

Expected results:
presuming this is not intentional, then I would like this to work like it did up to Fedora14 and RHEL6. If chfn and passwd not being allowed in %post is intentional, then please excuse the noise (I have filed RFE Bug 681658 for anaconda to learn to make a user with empty password that is forced to change on first login).

Additional info:
the chfn is only really used when the username is not the generic 'user' used for test installations. That's no more than 5% of my kickstarts, e.g. when installing a Linux laptop for an acquaintance. The other 95% are test installs for engineers, at the customer I'm DEEing for, that quickly need a certain RHEL or Fedora version to test something.
Comment 1 Daniel Walsh 2011-03-03 14:23:54 UTC 
Any chance you got the AVC?  


It looks like F15 policy has

sesearch -A -s rpm_script_t -c passwd -p passwd 
Found 1 semantic av rules:
   allow rpm_script_t rpm_script_t : passwd { passwd chfn chsh rootok crontab } ;
Comment 2 Patrick C. F. Ernzer 2011-03-05 09:18:13 UTC 
Dan,

stupid question, where do I pick up the AVC? grep -r chfn after install, but before reboot, yields nothing in /tmp nor in /mnt/sysimage/var/log/

Maybe I'm just being slow this morning.
Comment 3 Miroslav Grepl 2011-03-07 10:22:04 UTC 
In the /var/log/audit/audit.log file 

or you can re-test it and run

# ausearch -m avc -ts recent
Comment 4 Patrick C. F. Ernzer 2011-03-07 17:45:38 UTC 
Miroslav,

this is just after install and _before_ I reboot the box.

sh-4.2# chroot /mnt/sysimage/
sh-4.2# less /var/log/audit/audit.log
/var/log/audit/audit.log: No such file or directory
sh-4.2# exit
sh-4.2# /var/log/audit/audit.log
sh: /var/log/audit/audit.log: No such file or directory

so where do the AVCs go while anaconda is running?
Comment 5 Patrick C. F. Ernzer 2011-03-07 17:48:11 UTC 
nevermind, got it with a bit of forcing

sh-4.2# chroot /mnt/sysimage/
sh-4.2# chfn -f 'test user' user
chfn: chfn: system_u:system_r:rpm_script_t:s0 is not authorized to change the finger info of user
sh-4.2# grep -ri deny /var/log/*
sh-4.2# /etc/init.d/auditd start
Starting auditd: [  OK  ]
sh-4.2# chfn -f 'test user' user
chfn: chfn: system_u:system_r:rpm_script_t:s0 is not authorized to change the finger info of user
sh-4.2# ausearch -m avc -ts recent
----
time->Mon Mar  7 19:46:55 2011
type=SYSCALL msg=audit(1299520015.553:149): arch=c000003e syscall=59 success=yes exit=0 a0=982f90 a1=9d8910 a2=9dba80 a3=7ffffbd3ee70 items=0 ppid=13147 pid=13160 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="auditctl" exe="/sbin/auditctl" subj=system_u:system_r:auditctl_t:s0 key=(null)
type=AVC msg=audit(1299520015.553:149): avc:  denied  { read write } for  pid=13160 comm="auditctl" path="/dev/mapper/control" dev=tmpfs ino=23339 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file
type=AVC msg=audit(1299520015.553:149): avc:  denied  { read write } for  pid=13160 comm="auditctl" path="/tmp/vncserver.log" dev=tmpfs ino=25371 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
type=AVC msg=audit(1299520015.553:149): avc:  denied  { append } for  pid=13160 comm="auditctl" path="/dev/tty3" dev=tmpfs ino=23024 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file
type=AVC msg=audit(1299520015.553:149): avc:  denied  { read write } for  pid=13160 comm="auditctl" path="socket:[24494]" dev=sockfs ino=24494 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:system_r:anaconda_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1299520015.553:149): avc:  denied  { append } for  pid=13160 comm="auditctl" path="/tmp/anaconda.log" dev=tmpfs ino=23152 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
type=AVC msg=audit(1299520015.553:149): avc:  denied  { read write } for  pid=13160 comm="auditctl" name="console" dev=tmpfs ino=23008 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file
----
time->Mon Mar  7 19:46:55 2011
type=SYSCALL msg=audit(1299520015.561:150): arch=c000003e syscall=5 success=yes exit=0 a0=1 a1=7fff8803bb50 a2=7fff8803bb50 a3=7fff8803ba00 items=0 ppid=13147 pid=13160 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="auditctl" exe="/sbin/auditctl" subj=system_u:system_r:auditctl_t:s0 key=(null)
type=AVC msg=audit(1299520015.561:150): avc:  denied  { getattr } for  pid=13160 comm="auditctl" path="/dev/null" dev=tmpfs ino=23015 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file
----
time->Mon Mar  7 19:46:55 2011
type=SYSCALL msg=audit(1299520015.561:151): arch=c000003e syscall=16 success=no exit=-25 a0=1 a1=5401 a2=7fff8803bac8 a3=7fff8803ba00 items=0 ppid=13147 pid=13160 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="auditctl" exe="/sbin/auditctl" subj=system_u:system_r:auditctl_t:s0 key=(null)
type=AVC msg=audit(1299520015.561:151): avc:  denied  { ioctl } for  pid=13160 comm="auditctl" path="/dev/null" dev=tmpfs ino=23015 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file
sh-4.2#
Comment 6 Patrick C. F. Ernzer 2011-03-07 17:51:04 UTC 
agh, not my day, ignore comment 5, the AVC we need is not in there.

There must be a way to get the AVC...
Comment 7 Daniel Walsh 2011-03-07 22:44:11 UTC 
Might be in the install log or in the anaconda log.  Not sure if the /var/log/messages file is saved during install.
Comment 8 Patrick C. F. Ernzer 2011-03-08 01:36:43 UTC 
(In reply to comment #7)
> Might be in the install log or in the anaconda log.  Not sure if the
> /var/log/messages file is saved during install.

There's /tmp/syslog and /mnt/sysimage/root/install.log.syslog before I reboot at the end of installation. But neither contain any of 'deny' 'denied' 'avc' or 'chfn' (as per grep -i)

Installing in GUI mode (normally I install in serial console mode), I also was not able to see the AVC on any of the ttys
Comment 9 Daniel Walsh 2011-03-08 14:04:43 UTC 
 runcon system_u:system_r:rpm_t:s0 runcon system_u:system_r:rpm_script_t:s0 chage -d 0 pwalsh

This is working for me on an F15 machine.
Comment 10 Patrick C. F. Ernzer 2011-03-08 15:19:10 UTC 
(In reply to comment #9)
>  runcon system_u:system_r:rpm_t:s0 runcon system_u:system_r:rpm_script_t:s0
> chage -d 0 pwalsh
> 
> This is working for me on an F15 machine.

Yeah, the chage works for me too, it's the chfn and passwd -d that get denied

[root@guest4 ~]# cat post.err 
chfn: chfn: system_u:system_r:rpm_script_t:s0 is not authorized to change the
finger info of user
passwd: system_u:system_r:rpm_script_t:s0 is not authorized to change the
password of user
Comment 11 Daniel Walsh 2011-03-08 15:25:44 UTC 
 runcon system_u:system_r:rpm_t:s0 runcon system_u:system_r:rpm_script_t:s0 chfn -f "Phyllis Walsh" pwalsh


This works also.
Comment 12 Patrick C. F. Ernzer 2011-03-08 16:13:19 UTC 
I'll try again under F15 Aplha (as opposed to development/15 which I was using so far). ISOs are downloading as we speak, should hopefully get this tested tomorrow or at the latest Thursday
Comment 13 Patrick C. F. Ernzer 2011-03-08 19:56:30 UTC 
turns out that /selinux is not mounted in %post

but, my F14 Alpha x86_64 ISO just finished downloading, I'll reproduce under that momentarily.
Comment 14 David Lehman 2011-03-08 20:06:40 UTC 

*** This bug has been marked as a duplicate of bug 677450 ***