1113725 – MLS: pam_oddjob_mkhomedir does not work

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1113725 - MLS: pam_oddjob_mkhomedir does not work

Summary: MLS: pam_oddjob_mkhomedir does not work

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	beta
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Miroslav Vadkerti
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	893599
TreeView+	depends on / blocked

Reported:	2014-06-26 18:44 UTC by Miroslav Vadkerti
Modified:	2015-03-17 14:37 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.13.1-14.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 10:40:24 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	3972	0	None	None	None	Never
Red Hat Product Errata	RHBA-2015:0458	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2015-03-05 15:17:00 UTC

Description Miroslav Vadkerti 2014-06-26 18:44:29 UTC

Description of problem:
When I enable pam_oddjob_mkhomedir and have no home created:
time->Thu Jun 26 20:40:00 2014
type=SYSCALL msg=audit(1403808000.088:59918): arch=c000003e syscall=83 success=no exit=-13 a0=7fff8d062e80 a1=41ed a2=7faa91d2c778 a3=3a745f7269645f65 items=0 ppid=25099 pid=25285 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkhomedir" exe="/usr/libexec/oddjob/mkhomedir" subj=system_u:system_r:oddjob_mkhomedir_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1403808000.088:59918): avc:  denied  { create } for  pid=25285 comm="mkhomedir" name="ipatest" scontext=system_u:system_r:oddjob_mkhomedir_t:s0-s15:c0.c1023 tcontext=user_u:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir

All other SELinux users should be fixed also if needed.

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-153.el7.noarch

How reproducible:
100%

Steps to Reproduce:
1. create user without home directory
2. add pam_oddjob_mkhomedir to config
3. login as user

Actual results:
Home dir not created

Expected results:
Home dir created for all users that are able to login.

Comment 1 Miroslav Grepl 2014-07-15 15:23:38 UTC

Mirek,
what does audit2allow say on this AVC?

Comment 2 Eugene Peregudov 2014-09-01 06:47:58 UTC

I have the same issue with pam_oddjob_mkhomedir: when user have first access  not existing home directory via smbd:

type=SYSCALL msg=audit(1409551252.780:10547): arch=c000003e syscall=2 success=yes exit=7 a0=7fff9ac2d020 a1=c1 a2=8180 a3=5f656d6f685f7265 items=2 ppid=19440 pid=31165 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkhomedir" exe="/usr/libexec/oddjob/mkhomedir" subj=system_u:system_r:smbd_t:s0 key=(null)
type=USER_AVC msg=audit(1409551461.431:10567): pid=793 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=com.redhat.oddjob_mkhomedir member=mkhomedirfor dest=com.redhat.oddjob_mkhomedir spid=31294 tpid=19440 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=SYSCALL msg=audit(1409551461.433:10568): arch=c000003e syscall=191 success=yes exit=45 a0=7f8ca76f2070 a1=7f8ca59e679e a2=7f8ca76fbf20 a3=ff items=1 ppid=19440 pid=31297 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="oddjobd" exe="/usr/sbin/oddjobd" subj=system_u:system_r:oddjob_t:s0-s0:c0.c1023 key="mkhomedir"
type=PATH msg=audit(1409551461.433:10568): item=0 name="/usr/libexec/oddjob/mkhomedir" inode=525091 dev=fd:04 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:oddjob_mkhomedir_exec_t:s0 objtype=NORMAL
type=AVC msg=audit(1409551461.434:10569): avc:  denied  { transition } for  pid=31297 comm="oddjobd" path="/usr/libexec/oddjob/mkhomedir" dev="dm-4" ino=525091 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:smbd_t:s0 tclass=process
type=AVC msg=audit(1409551461.434:10569): avc:  denied  { entrypoint } for  pid=31297 comm="oddjobd" path="/usr/libexec/oddjob/mkhomedir" dev="dm-4" ino=525091 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:oddjob_mkhomedir_exec_t:s0 tclass=file
type=AVC msg=audit(1409551461.434:10569): avc:  denied  { read } for  pid=31297 comm="mkhomedir" path="pipe:[389907]" dev="pipefs" ino=389907 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1409551461.434:10569): avc:  denied  { write } for  pid=31297 comm="mkhomedir" path="pipe:[389908]" dev="pipefs" ino=389908 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file
type=SYSCALL msg=audit(1409551461.434:10569): arch=c000003e syscall=59 success=yes exit=0 a0=7f8ca76f2070 a1=7f8ca76fc570 a2=7f8ca76f2460 a3=4 items=2 ppid=19440 pid=31297 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkhomedir" exe="/usr/libexec/oddjob/mkhomedir" subj=system_u:system_r:smbd_t:s0 key="mkhomedir"
type=EXECVE msg=audit(1409551461.434:10569): argc=3 a0="mkhomedir" a1="-u" a2="0077"
type=PATH msg=audit(1409551461.434:10569): item=0 name="/usr/libexec/oddjob/mkhomedir" inode=525091 dev=fd:04 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:oddjob_mkhomedir_exec_t:s0 objtype=NORMAL
type=AVC msg=audit(1409551461.437:10570): avc:  denied  { getattr } for  pid=31297 comm="mkhomedir" path="pipe:[389907]" dev="pipefs" ino=389907 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file
type=SYSCALL msg=audit(1409551461.437:10570): arch=c000003e syscall=5 success=yes exit=0 a0=0 a1=7fff794f9ff0 a2=7fff794f9ff0 a3=0 items=0 ppid=19440 pid=31297 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkhomedir" exe="/usr/libexec/oddjob/mkhomedir" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1409551461.443:10571): avc:  denied  { create } for  pid=31297 comm="mkhomedir" name="username" scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1409551461.443:10571): arch=c000003e syscall=83 success=yes exit=0 a0=7fff794f6f10 a1=41c0 a2=7f7ff2e23770 a3=5f656d6f685f7265 items=2 ppid=19440 pid=31297 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkhomedir" exe="/usr/libexec/oddjob/mkhomedir" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1409551461.444:10572): avc:  denied  { create } for  pid=31297 comm="mkhomedir" name=".bashrc" scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1409551461.444:10572): arch=c000003e syscall=2 success=yes exit=7 a0=7fff794f8eb0 a1=c1 a2=8180 a3=5f656d6f685f7265 items=2 ppid=19440 pid=31297 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkhomedir" exe="/usr/libexec/oddjob/mkhomedir" subj=system_u:system_r:smbd_t:s0 key=(null)

#grep mkhomedir /var/log/audit/audit.log | audit2allow -M test
compilation failed:
test.te:26:ERROR 'syntax error' at token 'constrain' on line 26:
        constrain dir { create relabelfrom relabelto } ((u1 eq u2 -Fail-)  or (t1=smbd_t  eq TYPE_ENTRY -Fail-) ); Constraint DENIED
#Constraint rule:
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from test.te

#cat test.te

module test 1.0;

require {
<------>type user_home_t;
<------>type oddjob_mkhomedir_exec_t;
<------>type smbd_t;
<------>type oddjob_t;
<------>class dbus send_msg;
<------>class process transition;
<------>class fifo_file { read write getattr };
<------>class file { create entrypoint };
<------>class dir create;
}

#============= oddjob_t ==============
allow oddjob_t smbd_t:process transition;

#============= smbd_t ==============
allow smbd_t oddjob_mkhomedir_exec_t:file entrypoint;
allow smbd_t oddjob_t:dbus send_msg;
allow smbd_t oddjob_t:fifo_file { read write getattr };

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to al
#Constraint rule:.
<------>constrain dir { create relabelfrom relabelto } ((u1 eq u2 -Fail-)  or (t1=smbd_t  eq TYPE_ENTRY -Fail-) ); Constraint

#<----->Possible cause is the source user (system_u) and target user (unconfined_u) are different.
allow smbd_t user_home_t:dir create;

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to al
#Constraint rule:.
<------>constrain file { create relabelfrom relabelto } ((u1 eq u2 -Fail-)  or (t1=smbd_t  eq TYPE_ENTRY -Fail-) ); Constrain

#<----->Possible cause is the source user (system_u) and target user (unconfined_u) are different.
allow smbd_t user_home_t:file create;

When user try first login via ssh, the home directory creates successful.

selinux-policy-3.12.1-153.el7_0.10.noarch
samba-4.1.1-37.el7_0.x86_64
oddjob-0.31.5-3.el7.x86_64
oddjob-mkhomedir-0.31.5-3.el7.x86_64

Workaround this issue for me:
# semanage permissive -a smbd_t oddjob_t

Comment 3 Kaushik Banerjee 2014-11-11 08:46:23 UTC

I see the following avc when trying to ssh as a user.

type=AVC msg=audit(1415695001.980:413): avc:  denied  { entrypoint } for  pid=28895 comm="sshd" path="/usr/sbin/mkhomedir_helper" dev="dm-1" ino=367524 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:oddjob_mkhomedir_exec_t:s0 tclass=file

User home directory fail to be created.

Comment 4 Miroslav Grepl 2014-11-11 10:50:18 UTC

Eugene,
could you please re-test it with

$cat mypol.te
policy_module(mypol,1.0)

optional_policy(`
    dbus_system_bus_client(smbd_t)

    optional_policy(`
        oddjob_dbus_chat(smbd_t)
        oddjob_domtrans_mkhomedir(smbd_t)
    ')
')

and run

# make -f /usr/share/selinux/devel/Makefile mypol.pp
# semodule -i mypol.pp

and re-test it. Thank you.

Comment 5 Miroslav Grepl 2014-11-11 10:51:41 UTC

Kaushik,
what does

# ps -eZ |grep sshd

while you are testing it?

Comment 6 Kaushik Banerjee 2014-11-11 10:58:03 UTC

(In reply to Miroslav Grepl from comment #5)
> Kaushik,
> what does
> 
> # ps -eZ |grep sshd
> 
> while you are testing it?

# ps -eZ |grep sshd
system_u:system_r:sshd_t:s0-s0:c0.c1023 1004 ? 00:00:00 sshd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 15654 ? 00:00:00 sshd

Additional Info:
# grep sshd /var/log/audit/audit.log | audit2allow -M mypol
# cat mypol.te  

module mypol 1.0;

require {
	type unconfined_t;
	type oddjob_mkhomedir_exec_t;
	class file entrypoint;
}

#============= unconfined_t ==============
allow unconfined_t oddjob_mkhomedir_exec_t:file entrypoint;

Comment 7 Miroslav Vadkerti 2014-11-13 13:58:20 UTC

(In reply to Miroslav Grepl from comment #1)
> Mirek,
> what does audit2allow say on this AVC?

Unfortunately a constrain violation :( See the same for staff_u and user_u:

# ausearch -ts recent -m avc -sv no | grep oddjob | audit2allow
#============= oddjob_mkhomedir_t ==============
#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
        mlsconstrain dir { create } ((l1 eq l2 -Pass-)  or (t1=oddjob_mkhomedir_t  eq TYPE_ENTRY -Fail-)  and (l1 domby l2 -Pass-)  or (t1=oddjob_mkhomedir_t  eq TYPE_ENTRY -Fail-)  and (l1 dom l2 -Pass-)  or (t1=oddjob_mkhomedir_t  eq TYPE_ENTRY -Fail-)  and (l1 incomp l2 -Fail-)  and (l1 eq h2 -Fail-)  or (t1=oddjob_mkhomedir_t  eq TYPE_ENTRY -Fail-)  and (l1 domby h2 -Pass-)  or (t1=oddjob_mkhomedir_t  eq TYPE_ENTRY -Fail-)  and (l1 dom h2 -Fail-)  or (t1=oddjob_mkhomedir_t  eq TYPE_ENTRY -Fail-)  and (l1 incomp h2 -Fail-) ); Constraint DENIED

#       Possible cause is the source user (system_u) and target user (user_u) are different.
allow oddjob_mkhomedir_t user_home_dir_t:dir create;

Comment 8 Miroslav Grepl 2014-11-14 09:08:12 UTC

Mirek,
how about with

mls_file_upgrade(oddjob_mkhomedir_t)

Comment 9 Eugene Peregudov 2014-11-14 10:32:10 UTC

(In reply to Miroslav Grepl from comment #4)
> Eugene,
> could you please re-test it with
> 
> $cat mypol.te

> and run
> 
> # make -f /usr/share/selinux/devel/Makefile mypol.pp
> # semodule -i mypol.pp
> 
Miroslav, sorry for delaying.

I disable workaround
# semanage permissive -d smbd_t
# semanage permissive -d oddjob_t

Try to compile mypol.te

# make -f /usr/share/selinux/devel/Makefile mypol.pp
Compiling targeted mypol module
/usr/bin/checkmodule:  loading policy configuration from tmp/mypol.tmp
mypol.te":3:ERROR 'unknown type smbd_t' at token ';' on line 3208:
#line 3
        allow smbd_t { system_dbusd_t self }:dbus send_msg;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/mypol.mod] Error 1

Success compile after adding to mypol:

require {
    type smbd_t;
}

I test both sshd and smbd, and auto-create homedir is works fine!

Comment 10 Miroslav Grepl 2014-11-14 10:38:45 UTC

I apologize. Yes.

require {
    type smbd_t;
}

was needed.

Thank you for testing.

Comment 11 Phil Seeley 2014-12-01 04:58:10 UTC

Hi Miroslav,

We've encountered what could be the same issue on RHEL6 running under the MLS SELinux policy. We get the same AVC:

type=AVC msg=audit(1417393598.739:1228): avc:  denied  { create } for  pid=9971 comm="mkhomedir" name="usera" scontext=system_u:system_r:oddjob_mkhomedir_t:s0-s15:c0.c1023 tcontext=user_u:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir

I've traced the denial to the following MLS constraint:

mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
        ((( l1 eq l2 ) or
          (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or
          (( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or
          (( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
         (( l1 eq h2 ) or
          (( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or
          (( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or
          (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 ))));

It's the second block of this constraint that fails. From testing we have determined that:

l1 is not equal to h2
l1 is dominated by h2

So your comment 8 above does work, but giving the mlsfileupgrade attribute to oddjob_mkhomedir_t may have wider security implications.

We're not exactly sure what this constraint is trying to achieve, but if the range of levels in the source and target contexts are equal, then shouldn't the create be allowed?

Thanks

Phil

Comment 12 Miroslav Grepl 2014-12-01 10:47:49 UTC

(In reply to Phil Seeley from comment #11)
> Hi Miroslav,
> 
> We've encountered what could be the same issue on RHEL6 running under the
> MLS SELinux policy. We get the same AVC:
> 
> type=AVC msg=audit(1417393598.739:1228): avc:  denied  { create } for 
> pid=9971 comm="mkhomedir" name="usera"
> scontext=system_u:system_r:oddjob_mkhomedir_t:s0-s15:c0.c1023
> tcontext=user_u:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
> 
> I've traced the denial to the following MLS constraint:
> 
> mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file }
> create
>         ((( l1 eq l2 ) or
>           (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or
>           (( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or
>           (( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
>          (( l1 eq h2 ) or
>           (( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or
>           (( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or
>           (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 ))));
> 
> It's the second block of this constraint that fails. From testing we have
> determined that:
> 
> l1 is not equal to h2
> l1 is dominated by h2
> 
> So your comment 8 above does work, but giving the mlsfileupgrade attribute
> to oddjob_mkhomedir_t may have wider security implications.
> 
> We're not exactly sure what this constraint is trying to achieve, but if the
> range of levels in the source and target contexts are equal, then shouldn't
> the create be allowed?

The point is you want to have an object created with a level to be equal low sensitivity label of a subject by default (in most cases to have SystemLow for these objects).


> Thanks
> 
> Phil

Comment 13 Phil Seeley 2014-12-01 22:25:51 UTC

(In reply to Miroslav Grepl from comment #12)
> > We're not exactly sure what this constraint is trying to achieve, but if the
> > range of levels in the source and target contexts are equal, then shouldn't
> > the create be allowed?
> 
> The point is you want to have an object created with a level to be equal low
> sensitivity label of a subject by default (in most cases to have SystemLow
> for these objects).

Thanks, that make sense. So are we saying that for an MLS system the best solution is:

mls_file_upgrade(oddjob_mkhomedir_t)

Comment 14 Miroslav Grepl 2014-12-02 13:45:07 UTC

Yes, I believe we will need to allow it this way in this case.

Dan,
any comment here?

Comment 15 Daniel Walsh 2014-12-02 20:27:31 UTC

I guess you would have to yes.

Comment 16 Miroslav Grepl 2014-12-12 14:54:49 UTC

commit f55cd5d76498e5f43fb82bcede0478eab91d874c
Author: Miroslav Grepl <mgrepl>
Date:   Fri Dec 12 15:53:45 2014 +0100

    Add additionnal MLS attribute for oddjob_mkhomedir to create homedirs.

Comment 18 Miroslav Vadkerti 2015-02-03 11:05:18 UTC

Works in MLS also. Moving to VERIFIED as fixed in selinux-policy-3.13.1-23.el7.

drwx------. 2 ipastaff ipastaff   59 Feb  3 12:02 ipastaff

No MLS coverage yet, but would be nice.

Comment 20 errata-xmlrpc 2015-03-05 10:40:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html

Note You need to log in before you can comment on or make changes to this bug.