Bug 1297480 - Confined users cannot run oddjob mkhomedirfor script
Confined users cannot run oddjob mkhomedirfor script
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
medium Severity low
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
Depends On:
  Show dependency treegraph
Reported: 2016-01-11 10:48 EST by Dustin C. Hatch
Modified: 2016-11-03 22:40 EDT (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-81.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-11-03 22:40:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2283 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2016-11-03 09:36:25 EDT

  None (edit)
Description Dustin C. Hatch 2016-01-11 10:48:30 EST
Description of problem:
The `mkhomedirfor` script shipped with oddjob-mkhomedir, used for manually creating a home directory via oddjob-mkhomedir, cannot be run by confined users (e.g. when the *mls* policy is in use).

Version-Release number of selected component (if applicable):

Steps to Reproduce:
1. Enable mls SELinux policy
2. Add a user without creating a home directory (or use e.g. LDAP)
3. Run mkhomedirfor <username>

Actual results:
$ sudo sh /usr/share/doc/oddjob-mkhomedir-0.31.5/mkhomedirfor jenkins
Error org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.374" (uid=0 pid=14464 comm="dbus-send --system --dest=com.redhat.oddjob_mkhome") interface="com.redhat.oddjob_mkhomedir" member="mkhomedirfor" error name="(unset)" requested_reply="0" destination="com.redhat.oddjob_mkhomedir" (uid=0 pid=1254 comm="/usr/sbin/oddjobd -n -p /var/run/oddjobd.pid -t 30")

Expected results:
$ sudo sh /usr/share/doc/oddjob-mkhomedir-0.31.5/mkhomedirfor jenkins
method return sender=:1.6 -> dest=:1.369 reply_serial=2
   int32 0
   string "Creating home directory for jenkins."
   string ""

Additional info:
Here is the relevant AVC denial:

type=USER_AVC msg=audit(1452526423.932:92111): pid=659 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=com.redhat.oddjob_mkhomedir member=mkhomedirfor dest=com.redhat.oddjob_mkhomedir spid=14464 tpid=1254 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:oddjob_t:s0-s15:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Adding these two rules resolves the issue:
allow userdomain oddjob_t:dbus send_msg;
allow oddjob_t userdomain:dbus send_msg;
Comment 2 Miroslav Grepl 2016-01-18 03:49:06 EST
Thank you for testing.
Comment 5 Milos Malik 2016-10-26 07:08:46 EDT
# rpm -qa selinux\*
# sesearch -s sysadm_t -t oddjob_t -c dbus -p send_msg -A -C /etc/selinux/mls/policy/policy.30 
Found 1 semantic av rules:
   allow sysadm_t oddjob_t : dbus send_msg ; 

# sesearch -t sysadm_t -s oddjob_t -c dbus -p send_msg -A -C /etc/selinux/mls/policy/policy.30 
Found 1 semantic av rules:
   allow oddjob_t sysadm_t : dbus send_msg ; 

# id -Z
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             mls
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     denied
Max kernel policy version:      28
# ls -l /home
total 0
# sh /usr/share/doc/oddjob-mkhomedir-0.31.5/mkhomedirfor jenkins
method return sender=:1.33 -> dest=:1.35 reply_serial=2
   int32 0
   string "Creating home directory for jenkins."
   string ""
# ls -l /home
total 0
drwx------. 2 jenkins jenkins 62 Oct 26 13:05 jenkins
Comment 7 errata-xmlrpc 2016-11-03 22:40:35 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.