Bug 1297480 - Confined users cannot run oddjob mkhomedirfor script
Confined users cannot run oddjob mkhomedirfor script
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.2
All Linux
medium Severity low
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-11 10:48 EST by Dustin C. Hatch
Modified: 2016-11-03 22:40 EDT (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-81.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-03 22:40:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dustin C. Hatch 2016-01-11 10:48:30 EST
Description of problem:
The `mkhomedirfor` script shipped with oddjob-mkhomedir, used for manually creating a home directory via oddjob-mkhomedir, cannot be run by confined users (e.g. when the *mls* policy is in use).

Version-Release number of selected component (if applicable):
selinux-policy-mls-3.13.1-60.el7.noarch

Steps to Reproduce:
1. Enable mls SELinux policy
2. Add a user without creating a home directory (or use e.g. LDAP)
3. Run mkhomedirfor <username>

Actual results:
$ sudo sh /usr/share/doc/oddjob-mkhomedir-0.31.5/mkhomedirfor jenkins
Error org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.374" (uid=0 pid=14464 comm="dbus-send --system --dest=com.redhat.oddjob_mkhome") interface="com.redhat.oddjob_mkhomedir" member="mkhomedirfor" error name="(unset)" requested_reply="0" destination="com.redhat.oddjob_mkhomedir" (uid=0 pid=1254 comm="/usr/sbin/oddjobd -n -p /var/run/oddjobd.pid -t 30")


Expected results:
$ sudo sh /usr/share/doc/oddjob-mkhomedir-0.31.5/mkhomedirfor jenkins
method return sender=:1.6 -> dest=:1.369 reply_serial=2
   int32 0
   string "Creating home directory for jenkins."
   string ""

Additional info:
Here is the relevant AVC denial:

type=USER_AVC msg=audit(1452526423.932:92111): pid=659 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=com.redhat.oddjob_mkhomedir member=mkhomedirfor dest=com.redhat.oddjob_mkhomedir spid=14464 tpid=1254 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:oddjob_t:s0-s15:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Adding these two rules resolves the issue:
allow userdomain oddjob_t:dbus send_msg;
allow oddjob_t userdomain:dbus send_msg;
Comment 2 Miroslav Grepl 2016-01-18 03:49:06 EST
Thank you for testing.
Comment 5 Milos Malik 2016-10-26 07:08:46 EDT
# rpm -qa selinux\*
selinux-policy-mls-3.13.1-102.el7.noarch
selinux-policy-3.13.1-102.el7.noarch
selinux-policy-targeted-3.13.1-102.el7.noarch
# sesearch -s sysadm_t -t oddjob_t -c dbus -p send_msg -A -C /etc/selinux/mls/policy/policy.30 
Found 1 semantic av rules:
   allow sysadm_t oddjob_t : dbus send_msg ; 

# sesearch -t sysadm_t -s oddjob_t -c dbus -p send_msg -A -C /etc/selinux/mls/policy/policy.30 
Found 1 semantic av rules:
   allow oddjob_t sysadm_t : dbus send_msg ; 

# id -Z
root:sysadm_r:sysadm_t:s0
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             mls
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     denied
Max kernel policy version:      28
# ls -l /home
total 0
# sh /usr/share/doc/oddjob-mkhomedir-0.31.5/mkhomedirfor jenkins
method return sender=:1.33 -> dest=:1.35 reply_serial=2
   int32 0
   string "Creating home directory for jenkins."
   string ""
# ls -l /home
total 0
drwx------. 2 jenkins jenkins 62 Oct 26 13:05 jenkins
#
Comment 7 errata-xmlrpc 2016-11-03 22:40:35 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.