Hide Forgot
Description of problem: useradd a new user failed because of creating home directory failure. setenforce 0 could workaround the issue Version-Release number of selected component (if applicable): selinux-policy-3.12.1-80.el7 How reproducible: always Steps to Reproduce: 1. setenforce 1 2. useradd new_user 3. Actual results: useradd new user failed useradd: cannot set SELinux context for home directory /mnt/testarea/ltp-p8bV7kK7Nq/tacl/mount-ext3/acltest1 Could not add test user acltest1. Expected results: new user could be added Additional info: Not sure if it's an selinux-policy issue, please correct me if I was wrong.
What AVC msgs are you getting in permissive mode?
# setenforce 1 # useradd testuser useradd: cannot create directory /home/testuser # echo $? 12 # tail /var/log/audit/audit.log type=ADD_GROUP msg=audit(1380792255.158:296): pid=24483 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 msg='op=adding group acct="testuser" exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=success' type=ADD_USER msg=audit(1380792255.176:297): pid=24483 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user id=1002 exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=success' type=ADD_USER msg=audit(1380792255.180:298): pid=24483 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 msg='op=adding home directory id=1002 exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=failed' type=ADD_USER msg=audit(1380792255.180:299): pid=24483 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user acct="testuser" exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=failed' # setenforce 0 # useradd testuser # echo $? 0 # tail /var/log/audit/audit.log type=ADD_GROUP msg=audit(1380792349.214:308): pid=24522 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 msg='op=adding group acct="testuser" exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=success' type=ADD_USER msg=audit(1380792349.223:309): pid=24522 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user id=1002 exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=success' type=AVC msg=audit(1380792349.228:310): avc: denied { write } for pid=24522 comm="useradd" name="/" dev="dm-2" ino=128 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir type=AVC msg=audit(1380792349.228:310): avc: denied { add_name } for pid=24522 comm="useradd" name="testuser" scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir type=SYSCALL msg=audit(1380792349.228:310): arch=c000003e syscall=83 success=yes exit=0 a0=7f3933798f80 a1=0 a2=7f3931142778 a3=5f656d6f685f7265 items=0 ppid=3871 pid=24522 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts0 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) type=ADD_USER msg=audit(1380792349.234:311): pid=24522 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 msg='op=adding home directory id=1002 exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=success'
Ok, this is a labeling problem. You will need to fix labeling using restorecon and then setup correct labels for HOME_ROOT using "semanage fcontext -a -e" if you use non-standard location.
Another example: # mkdir /tmp/new_home # useradd -d /tmp/new_home/tester tester useradd: cannot set SELinux context for home directory /tmp/new_home/tester # chcon --reference /home /tmp/new_home # ls -lZd /tmp/new_home/ drwxr-xr-x. root root system_u:object_r:home_root_t:s0 /tmp/new_home/ # useradd -d /tmp/new_home/tester tester useradd: cannot set SELinux context for home directory /tmp/new_home/tester BUT!!! # mkdir /tmp/new_home/tester # useradd -d /tmp/new_home/tester tester useradd: warning: the home directory already exists. Not copying any file from skel directory into it. # echo $? 0 I don't think this is correct behaviour. It's working OK on RHEL-6. Reopened.
I've forgot to add (to comment #4): # rpm -qf `which useradd` shadow-utils-4.1.5.1-9.el7.x86_64 # rpm -q selinux-policy selinux-policy-3.12.1-102.el7.noarch
I am not convinced this is bug in useradd. IMHO it is due to its more tightened restrictions by SELinux policy.
If you create # mkdir /tmp/new_home and then setup an equivalence for this directory using semanage instead of chcon, does it work then?
The correct way to do this is: semanage fcontext -a -e /home /tmp/new_home mkdir /tmp/new_home restorecon /tmp/new_home useradd -d /tmp/new_home/tester tester I verified that it works fine this way.
Yes it works like Tomas mentioned in comment #8. Thank you.