Bug 1378204 - seusers contains a login for a user named "system_u"
Summary: seusers contains a login for a user named "system_u"
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 24
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
: 1382880 1384809 1385379 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-21 20:05 UTC by Gary Tierney
Modified: 2016-11-10 03:30 UTC (History)
9 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-11-10 03:30:11 UTC


Attachments (Terms of Use)

Description Gary Tierney 2016-09-21 20:05:04 UTC
Description of problem:

In current policy there is a login named system_u mapped to the system_u SELinux user.  This seems to be have used in the past to allow daemons like cronie to get a default context for a "system" user: https://github.com/henrysher/cronie/commit/e5280235809844f54d5956ec281472b63dcfc3f4

With a recent patch submitted to genhomedircon which removes the hardcoded user identifier (and a conditional which skips homedir context generation for that login) we now see a warning:

libsemanage.add_user: user system_u not in password file

Version-Release number of selected component (if applicable):

3.13.1-191.14.fc24

How reproducible:
Steps to Reproduce:

Run genhomedircon with new patch

See http://marc.info/?t=147317021100002&r=1&w=2

Actual results:

A warning that no login exists for a user named "system_u"

Expected results:

No warnings

Additional info:

Comment 1 Fedora Admin XMLRPC Client 2016-09-27 15:09:30 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 2 Orion Poplawski 2016-10-05 21:29:35 UTC
Still present with selinux-policy-3.13.1-218.fc26.noarch

Comment 3 Petr Lautrbach 2016-10-10 10:21:17 UTC
*** Bug 1382880 has been marked as a duplicate of this bug. ***

Comment 4 Petr Lautrbach 2016-10-10 11:41:52 UTC
A temporary Rawhide scratch build with remove system_u can be found here - 
http://koji.fedoraproject.org/koji/taskinfo?taskID=16027663

Comment 5 Petr Lautrbach 2016-10-10 11:56:42 UTC
To fix it in dist-git, extract config.tgz, use the following patch and recreate the archive config.tgz.

diff -r -u config/appconfig-mcs/seusers config.fixed/appconfig-mcs/seusers
--- config/appconfig-mcs/seusers        2009-08-28 21:06:34.000000000 +0200
+++ config.fixed/appconfig-mcs/seusers  2016-10-10 13:52:22.706584896 +0200
@@ -1,3 +1,2 @@
-system_u:system_u:s0-mcs_systemhigh
 root:unconfined_u:s0-mcs_systemhigh
 __default__:unconfined_u:s0-mcs_systemhigh
diff -r -u config/appconfig-mls/seusers config.fixed/appconfig-mls/seusers
--- config/appconfig-mls/seusers        2009-08-28 20:59:08.000000000 +0200
+++ config.fixed/appconfig-mls/seusers  2016-10-10 13:52:22.812584921 +0200
@@ -1,3 +1,2 @@
-system_u:system_u:s0-mls_systemhigh
 root:root:s0-mls_systemhigh
 __default__:user_u:s0
diff -r -u config/appconfig-standard/seusers config.fixed/appconfig-standard/seusers
--- config/appconfig-standard/seusers   2009-08-28 20:59:08.000000000 +0200
+++ config.fixed/appconfig-standard/seusers     2016-10-10 13:52:22.742584905 +0200
@@ -1,3 +1,2 @@
-system_u:system_u
 root:root
 __default__:user_u

Comment 6 Petr Lautrbach 2016-10-10 13:06:29 UTC
http://koji.fedoraproject.org/koji/taskinfo?taskID=16028136  fc25 scratch build

Comment 7 Lukas Vrabec 2016-10-10 14:43:08 UTC
Thank you Petr for builds.

Comment 8 Petr Lautrbach 2016-10-14 08:41:16 UTC
*** Bug 1384809 has been marked as a duplicate of this bug. ***

Comment 9 Petr Lautrbach 2016-10-16 16:29:29 UTC
*** Bug 1385379 has been marked as a duplicate of this bug. ***

Comment 10 Fedora Update System 2016-11-04 12:12:13 UTC
selinux-policy-3.13.1-191.20.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3

Comment 11 Fedora Update System 2016-11-05 03:36:41 UTC
selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3

Comment 12 Fedora Update System 2016-11-10 03:30:11 UTC
selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.