Bug 786223

Summary: Make ipa-client depend on oddjob-mkhomedir (ipa-client-install --mkhomedir sets wrong selinux contexts on user home drives)
Product: Red Hat Enterprise Linux 6 Reporter: dale.macartney
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: dale.macartney, dpal, jgalipea, ksiddiqu, mkosek, nsoman, ssorce
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-2.2.0-3.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 13:31:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description dale.macartney 2012-01-31 18:45:19 UTC 
Description of problem:

When using the --mkhomedir option with ipa-client-install, a user has their homedir automatically created when first logging in. 

the selinux context of this newly created homedir is set to home_root_t instead of user_home_dir_t

Version-Release number of selected component (if applicable):

Name        : ipa-client
Arch        : x86_64
Version     : 2.1.3
Release     : 9.el6


How reproducible:
every time

Steps to Reproduce:
1. clean install of RHEL 6.2
2. yum install ipa-client -y
3. ipa-client-install -U -p admin -w mysecretpassword --mkhomedir
4. log in as any ipa user..
5. ls -Z /home

  
Actual results:
[root@server ~]# ls -Z /home/
drwxr-xr-x. user1 user1 unconfined_u:object_r:home_root_t:s0 user1
drwxr-xr-x. user2 user2 unconfined_u:object_r:home_root_t:s0 user2
[root@server ~]#

Expected results:

[root@mail02 ~]# ls -Z /home/
drwxr-xr-x. user1 user1 unconfined_u:object_r:user_home_dir_t:s0 user1
drwxr-xr-x. user2 user2 unconfined_u:object_r:user_home_dir_t:s0 user2
[root@mail02 ~]#

Additional info:
Comment 2 Simo Sorce 2012-01-31 21:28:40 UTC 
ipa-client-install just uses authconfig, marking as duplicate of the bug we opened against authconfig already.

*** This bug has been marked as a duplicate of bug 647589 ***
Comment 3 Dmitri Pal 2012-02-01 15:05:10 UTC 
This is an authconfig issue similar to the one in #647589.
Comment 4 Dmitri Pal 2012-02-01 15:07:44 UTC 
Authconfig's GUI version will auto-detect the presence of
pam_oddjob_mkhomedir and prefer that over pam_mkhomedir, but it appears
the command-line version always configures pam_mkhomedir.
Comment 5 Tomas Mraz 2012-02-01 16:30:11 UTC 
No, the GUI and commandline UI are both frontends to a single backend. So most probably they do not have pam_oddjob_mkhomedir installed.

*** This bug has been marked as a duplicate of bug 647589 ***
Comment 7 Tomas Mraz 2012-02-01 16:40:59 UTC 
The possible resolutions are:
1. Make authconfig depend on oddjob-mkhomedir package - I do not want that as it unnecessarily expands the minimal install set.

2. Make authconfig to gray out the homedir creation check box in GUI when SELinux is enforcing and oddjob-mkhomedir is not installed. Also print a warning in commandline UI in the same situation if user uses --enablemkhomedir. This will not prevent the user to enable creation of homedirs in command line ui and with ipa-client-install however it will at least warn him that it will not work correctly.

3. Make ipa-client depend on oddjob-mkhomedir - perhaps preferable?
Comment 8 Dmitri Pal 2012-02-01 18:03:12 UTC 
Re-targeting IPA and giving ack to option number three from above. Also changing the name.
Comment 9 Dmitri Pal 2012-02-01 18:07:44 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2337
Comment 10 Martin Kosek 2012-02-27 10:02:33 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/872047fa0e666f0ac0328f4d6f75dc8bf560485c
ipa-2-2: https://fedorahosted.org/freeipa/changeset/de4603eba0270bb34207543f62012e1690086305
Comment 13 Martin Kosek 2012-04-24 11:33:48 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.
Comment 14 Kaleem 2012-04-25 11:12:08 UTC 
Verified.

ipa-client version:
===================
[root@ipa63client ~]# rpm -q ipa-client
ipa-client-2.2.0-11.el6.x86_64
[root@ipa63client ~]#

ipa-client depends on oddjob-mkhomedir pkg:
==========================================
[root@ipa63client ~]# yum deplist ipa-client|grep odd
Unable to read consumer identity
  dependency: oddjob-mkhomedir
   provider: oddjob-mkhomedir.x86_64 0.30-5.el6
   provider: oddjob-mkhomedir.i686 0.30-5.el6
[root@ipa63client ~]#
 
Now correct selinux context (user_home_dir_t) is set for user home directories.

[root@ipa63client ~]# ls -laZ /home/
drwxr-xr-x. root   root   system_u:object_r:home_root_t:s0 .
dr-xr-xr-x. root   root   system_u:object_r:root_t:s0      ..
drwxr-xr-x. tuser1 tuser1 unconfined_u:object_r:user_home_dir_t:s0 tuser1
drwxr-xr-x. tuser2 tuser2 unconfined_u:object_r:user_home_dir_t:s0 tuser2
drwxr-xr-x. tuser3 tuser3 unconfined_u:object_r:user_home_dir_t:s0 tuser3
[root@ipa63client ~]#
Comment 16 errata-xmlrpc 2012-06-20 13:31:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html