1013968 – useradd: cannot set SELinux context for home directory

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1013968 - useradd: cannot set SELinux context for home directory

Summary: useradd: cannot set SELinux context for home directory

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	shadow-utils
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-10-01 07:30 UTC by Eryu Guan
Modified:	2013-11-27 12:15 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-11-27 12:15:59 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Eryu Guan 2013-10-01 07:30:12 UTC

Description of problem:
useradd a new user failed because of creating home directory failure.

setenforce 0 could workaround the issue

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-80.el7

How reproducible:
always

Steps to Reproduce:
1. setenforce 1
2. useradd new_user
3.

Actual results:
useradd new user failed
useradd: cannot set SELinux context for home directory /mnt/testarea/ltp-p8bV7kK7Nq/tacl/mount-ext3/acltest1                                                           
Could not add test user acltest1.

Expected results:
new user could be added

Additional info:
Not sure if it's an selinux-policy issue, please correct me if I was wrong.

Comment 1 Miroslav Grepl 2013-10-03 09:01:33 UTC

What AVC msgs are you getting in permissive mode?

Comment 2 Eryu Guan 2013-10-03 09:26:58 UTC

# setenforce 1
# useradd testuser
useradd: cannot create directory /home/testuser
# echo $?
12
# tail /var/log/audit/audit.log
type=ADD_GROUP msg=audit(1380792255.158:296): pid=24483 uid=0 auid=0 ses=1  subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 msg='op=adding group acct="testuser" exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=success'
type=ADD_USER msg=audit(1380792255.176:297): pid=24483 uid=0 auid=0 ses=1  subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user id=1002 exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=success'
type=ADD_USER msg=audit(1380792255.180:298): pid=24483 uid=0 auid=0 ses=1  subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 msg='op=adding home directory id=1002 exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=failed'
type=ADD_USER msg=audit(1380792255.180:299): pid=24483 uid=0 auid=0 ses=1  subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user acct="testuser" exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=failed'

# setenforce 0
# useradd testuser
# echo $?
0
# tail /var/log/audit/audit.log
type=ADD_GROUP msg=audit(1380792349.214:308): pid=24522 uid=0 auid=0 ses=1  subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 msg='op=adding group acct="testuser" exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=success'
type=ADD_USER msg=audit(1380792349.223:309): pid=24522 uid=0 auid=0 ses=1  subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user id=1002 exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=success'
type=AVC msg=audit(1380792349.228:310): avc:  denied  { write } for  pid=24522 comm="useradd" name="/" dev="dm-2" ino=128 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1380792349.228:310): avc:  denied  { add_name } for  pid=24522 comm="useradd" name="testuser" scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1380792349.228:310): arch=c000003e syscall=83 success=yes exit=0 a0=7f3933798f80 a1=0 a2=7f3931142778 a3=5f656d6f685f7265 items=0 ppid=3871 pid=24522 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts0 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=ADD_USER msg=audit(1380792349.234:311): pid=24522 uid=0 auid=0 ses=1  subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 msg='op=adding home directory id=1002 exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=success'

Comment 3 Miroslav Grepl 2013-10-03 18:59:55 UTC

Ok, this is a labeling problem. You will need to fix labeling using restorecon and then setup correct labels for HOME_ROOT using "semanage fcontext -a -e" if you use non-standard location.

Comment 4 Branislav Blaškovič 2013-11-21 10:25:01 UTC

Another example:

# mkdir /tmp/new_home
# useradd -d /tmp/new_home/tester tester
useradd: cannot set SELinux context for home directory /tmp/new_home/tester
# chcon --reference /home /tmp/new_home
# ls -lZd /tmp/new_home/
drwxr-xr-x. root root system_u:object_r:home_root_t:s0 /tmp/new_home/
# useradd -d /tmp/new_home/tester tester
useradd: cannot set SELinux context for home directory /tmp/new_home/tester

BUT!!!

# mkdir /tmp/new_home/tester
# useradd -d /tmp/new_home/tester tester
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
# echo $?
0

I don't think this is correct behaviour. It's working OK on RHEL-6.

Reopened.

Comment 5 Branislav Blaškovič 2013-11-21 10:29:02 UTC

I've forgot to add (to comment #4):
# rpm -qf `which useradd`
shadow-utils-4.1.5.1-9.el7.x86_64
# rpm -q selinux-policy
selinux-policy-3.12.1-102.el7.noarch

Comment 6 Tomas Mraz 2013-11-27 09:34:16 UTC

I am not convinced this is bug in useradd. IMHO it is due to its more tightened restrictions by SELinux policy.

Comment 7 Miroslav Grepl 2013-11-27 09:58:08 UTC

If you create

# mkdir /tmp/new_home

and then setup an equivalence for this directory using semanage instead of chcon, does it work then?

Comment 8 Tomas Mraz 2013-11-27 10:14:03 UTC

The correct way to do this is:

semanage fcontext -a -e /home /tmp/new_home
mkdir /tmp/new_home
restorecon /tmp/new_home
useradd -d /tmp/new_home/tester tester

I verified that it works fine this way.

Comment 9 Branislav Blaškovič 2013-11-27 12:15:59 UTC

Yes it works like Tomas mentioned in comment #8. 
Thank you.

Note You need to log in before you can comment on or make changes to this bug.