Bug 822133
| Summary: | a lot of selinux errors when working with a freeipa user | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | pasqual milvaques <pasqual.milvaques> |
| Component: | freeipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 16 | CC: | abokovoy, jhrozek, mkosek, rcritten, sbose, sgallagh, ssorce |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | freeipa-2.1.4-8.fc16 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-14 03:05:11 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This is a bug in FreeIPA (specifically ipa-client-install). pam_mkhomedir is not SELinux-compatible. There is an alternative called oddjob_mkhomedir that is. ipa-client-install will use whichever one is installed on the system. In the default case, that unfortunately means pam_mkhomedir. In Fedora 17, the 'freeipa-client' package grew an explicit dependency on oddjob_mkhomedir to ensure that the SELinux-compatible package was available. We need to backport that specfile change to F16. In the meantime, you can solve this for an installed system by doing: yum install oddjob-mkhomedir Replacing all instances of pam_mkhomedir.so in /etc/pam.d/* with pam_oddkob_mkhomedir.so Then at least all new users that log in will be set up with the appropriate SELinux contexts. freeipa-2.1.4-8.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/freeipa-2.1.4-8.fc16 removed the installed selinux policies, deleted the /home directories for freeipa users and updated the freeipa packages. tested and all is working now thanks!!! This message is a reminder that Fedora 16 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 16. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '16'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 16's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 16 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Not sure why this is still open, closing as VERIFIED. Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. Changing CLOSED status resolution from WONTFIX to ERRATA as this was properly closed, we just forgot to CLOSE it properly. |
Description of problem: I'm trying to log and work to a test box with a freeipa user but selinux avoid me to a lot of normal activities for the moment these are the problems: -I can't log to the sistem if a didn't do a restorecon -v -R /home/username -once I do this I can log to the system but I try to change the password with the control-center I receive errors of this kind /var/log/audit/audit.log: type=AVC msg=audit(1337166385.813:105): avc: denied { execute } for pid=2354 comm="passwd" name="gnome-keyring-daemon" dev="sda3" ino=157097 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gkeyringd_exec_t:s0 tclass=file type=USER_CHAUTHTOK msg=audit(1337166385.830:106): pid=0 uid=0 auid=1000 ses=2 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=PAM:chauthtok acct="mnadal" exe="/usr/bin/passwd" hostname=? addr=? terminal=pts/1 res=success' selinux trobleshouter says to me to apply this policies to avoid the errors: -mypol_passwd.te: module mypol_passwd 1.0; require { type tmp_t; type passwd_t; type gkeyringd_exec_t; class capability ipc_lock; class sock_file { write create unlink getattr }; class file { read execute open execute_no_trans }; class dir { create rmdir }; } #============= passwd_t ============== #!!!! This avc is allowed in the current policy allow passwd_t gkeyringd_exec_t:file { read execute open execute_no_trans }; allow passwd_t self:capability ipc_lock; allow passwd_t tmp_t:dir rmdir; #!!!! This avc is allowed in the current policy allow passwd_t tmp_t:dir create; #!!!! This avc is allowed in the current policy allow passwd_t tmp_t:sock_file create; allow passwd_t tmp_t:sock_file { write getattr unlink }; -run: semodule -i mypol_passwd.pp Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. join a freeipa domain with ipa-client-install --mkhomedir 2. do a restorecon -v -R /home/username (if not I can't log to gnome) 3. go go to control center -> users ant try to change your password Actual results: lots of selinux errors, in the first tries the errors don't let the password to be changed Expected results: usable home directory (correctly labeled with selinux by default) transparent password change Additional info: