Hide Forgot
Description of problem: The `mkhomedirfor` script shipped with oddjob-mkhomedir, used for manually creating a home directory via oddjob-mkhomedir, cannot be run by confined users (e.g. when the *mls* policy is in use). Version-Release number of selected component (if applicable): selinux-policy-mls-3.13.1-60.el7.noarch Steps to Reproduce: 1. Enable mls SELinux policy 2. Add a user without creating a home directory (or use e.g. LDAP) 3. Run mkhomedirfor <username> Actual results: $ sudo sh /usr/share/doc/oddjob-mkhomedir-0.31.5/mkhomedirfor jenkins Error org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.374" (uid=0 pid=14464 comm="dbus-send --system --dest=com.redhat.oddjob_mkhome") interface="com.redhat.oddjob_mkhomedir" member="mkhomedirfor" error name="(unset)" requested_reply="0" destination="com.redhat.oddjob_mkhomedir" (uid=0 pid=1254 comm="/usr/sbin/oddjobd -n -p /var/run/oddjobd.pid -t 30") Expected results: $ sudo sh /usr/share/doc/oddjob-mkhomedir-0.31.5/mkhomedirfor jenkins method return sender=:1.6 -> dest=:1.369 reply_serial=2 int32 0 string "Creating home directory for jenkins." string "" Additional info: Here is the relevant AVC denial: type=USER_AVC msg=audit(1452526423.932:92111): pid=659 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=com.redhat.oddjob_mkhomedir member=mkhomedirfor dest=com.redhat.oddjob_mkhomedir spid=14464 tpid=1254 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:oddjob_t:s0-s15:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Adding these two rules resolves the issue: allow userdomain oddjob_t:dbus send_msg; allow oddjob_t userdomain:dbus send_msg;
Thank you for testing.
# rpm -qa selinux\* selinux-policy-mls-3.13.1-102.el7.noarch selinux-policy-3.13.1-102.el7.noarch selinux-policy-targeted-3.13.1-102.el7.noarch # sesearch -s sysadm_t -t oddjob_t -c dbus -p send_msg -A -C /etc/selinux/mls/policy/policy.30 Found 1 semantic av rules: allow sysadm_t oddjob_t : dbus send_msg ; # sesearch -t sysadm_t -s oddjob_t -c dbus -p send_msg -A -C /etc/selinux/mls/policy/policy.30 Found 1 semantic av rules: allow oddjob_t sysadm_t : dbus send_msg ; # id -Z root:sysadm_r:sysadm_t:s0 # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mls Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: denied Max kernel policy version: 28 # ls -l /home total 0 # sh /usr/share/doc/oddjob-mkhomedir-0.31.5/mkhomedirfor jenkins method return sender=:1.33 -> dest=:1.35 reply_serial=2 int32 0 string "Creating home directory for jenkins." string "" # ls -l /home total 0 drwx------. 2 jenkins jenkins 62 Oct 26 13:05 jenkins #
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html