Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1421573

Summary: Creating users home directory with oddjob-mkhomedir is no longer working with SElinux enforcing
Product: Red Hat Enterprise Linux 7 Reporter: Arya Rajendran <arajendr>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 7.3CC: arajendr, cww, jpruente, ktadimar, lvrabec, mgrepl, mmalik, plautrba, pvrabec, qe-baseos-security, rws228, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-06 07:34:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1477664    

Comment 2 jpruente 2017-03-14 15:03:44 UTC 
I also experience this on a Fedora Rawhide system. Fully updated as of 2017-03-14, oddjob 0.34.4-1.fc26, oddjob-mkhomedir 0.34.4-1.fc26, selinux-policy 3.13.1-244.fc27

Below is the journal output of an attempt to ssh in as a valid LDAP user where oddjob-mkhomedir is denied creation of the home dir by selinux. If selinux is set to permissive the homedir creation succeeds.

Mar 14 09:46:58 jpruente-vm audit[1716]: CRYPTO_KEY_USER pid=1716 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1717 suid=74 rport=51617 laddr=10.1.1.18 lport=22  exe="/usr/sbin/sshd" hostname=? addr=10.1.1.20 terminal=? res=success'
Mar 14 09:46:58 jpruente-vm audit[1716]: USER_AUTH pid=1716 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=success acct="jpruente" exe="/usr/sbin/sshd" hostname=? addr=10.1.1.20 terminal=ssh res=success'
Mar 14 09:46:58 jpruente-vm audit[1716]: CRED_ACQ pid=1716 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_sss acct="jpruente" exe="/usr/sbin/sshd" hostname=10.1.1.20 addr=10.1.1.20 terminal=ssh res=success'
Mar 14 09:46:58 jpruente-vm audit[1716]: USER_ROLE_CHANGE pid=1716 uid=0 auid=200045 ses=10 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/sbin/sshd" hostname=10.1.1.20 addr=10.1.1.20 terminal=ssh res=success'
Mar 14 09:46:58 jpruente-vm systemd[1]: Created slice User Slice of jpruente.
Mar 14 09:46:58 jpruente-vm systemd[1]: Starting User Manager for UID 200045...
Mar 14 09:46:58 jpruente-vm systemd-logind[528]: New session 10 of user jpruente.
Mar 14 09:46:58 jpruente-vm systemd[1]: Started Session 10 of user jpruente.
Mar 14 09:46:58 jpruente-vm audit[1718]: USER_ACCT pid=1718 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct="jpruente" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Mar 14 09:46:58 jpruente-vm audit[1718]: USER_ROLE_CHANGE pid=1718 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Mar 14 09:46:58 jpruente-vm audit[514]: USER_AVC pid=514 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=com.redhat.oddjob_mkhomedir member=mkhomedirfor dest=com.redhat.oddjob_mkhomedir spid=1718 tpid=554 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus
                                                  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Mar 14 09:46:58 jpruente-vm systemd[1718]: pam_unix(systemd-user:session): session opened for user jpruente by (uid=0)
Mar 14 09:46:58 jpruente-vm audit[1718]: USER_START pid=1718 uid=0 auid=200045 ses=11 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_sss acct="jpruente" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Mar 14 09:46:58 jpruente-vm systemd[1718]: Reached target Timers.
Mar 14 09:46:58 jpruente-vm systemd[1718]: Starting D-Bus User Message Bus Socket.
Mar 14 09:46:58 jpruente-vm systemd[1718]: Reached target Paths.
Mar 14 09:46:58 jpruente-vm systemd[1718]: Listening on D-Bus User Message Bus Socket.
Mar 14 09:46:58 jpruente-vm systemd[1718]: Reached target Sockets.
Mar 14 09:46:58 jpruente-vm systemd[1718]: Reached target Basic System.
Mar 14 09:46:58 jpruente-vm systemd[1718]: Reached target Default.
Mar 14 09:46:58 jpruente-vm systemd[1718]: Startup finished in 118ms.
Mar 14 09:46:58 jpruente-vm audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@200045 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Mar 14 09:46:58 jpruente-vm systemd[1]: Started User Manager for UID 200045.
Mar 14 09:46:58 jpruente-vm audit[1724]: AVC avc:  denied  { create } for  pid=1724 comm="mkhomedir" name="jpruente" scontext=system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=0
Mar 14 09:46:58 jpruente-vm oddjob-mkhomedir[1724]: error creating /ldaphome/jpruente: Permission denied
Mar 14 09:46:59 jpruente-vm sshd[1716]: pam_unix(sshd:session): session opened for user jpruente by (uid=0)
Mar 14 09:46:59 jpruente-vm audit[1716]: USER_START pid=1716 uid=0 auid=200045 ses=10 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_sss,pam_lastlog acct="jpruente" exe="/usr/sbin/sshd" hostname=10.1.1.20 addr=10.1.1.20 terminal=ssh res=success'
Mar 14 09:46:59 jpruente-vm audit[1725]: CRYPTO_KEY_USER pid=1725 uid=0 auid=200045 ses=10 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:00:00:00:00:00:00:00:00:00:00 direction=? spid=1725 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
Mar 14 09:46:59 jpruente-vm audit[1725]: CRYPTO_KEY_USER pid=1725 uid=0 auid=200045 ses=10 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:11:11:11:11:11:11:11:11:11:11 direction=? spid=1725 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
Mar 14 09:46:59 jpruente-vm audit[1725]: CRYPTO_KEY_USER pid=1725 uid=0 auid=200045 ses=10 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:22:22:22:22:22:22:22:22:22:22 direction=? spid=1725 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
Mar 14 09:46:59 jpruente-vm audit[1725]: CRED_ACQ pid=1725 uid=0 auid=200045 ses=10 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_sss acct="jpruente" exe="/usr/sbin/sshd" hostname=10.1.1.20 addr=10.1.1.20 terminal=ssh res=success'
Mar 14 09:46:59 jpruente-vm audit[1716]: USER_LOGIN pid=1716 uid=0 auid=200045 ses=10 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=200045 exe="/usr/sbin/sshd" hostname=10.1.1.20 addr=10.1.1.20 terminal=/dev/pts/2 res=success'
Mar 14 09:46:59 jpruente-vm audit[1716]: USER_START pid=1716 uid=0 auid=200045 ses=10 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=200045 exe="/usr/sbin/sshd" hostname=10.1.1.20 addr=10.1.1.20 terminal=/dev/pts/2 res=success'
Mar 14 09:46:59 jpruente-vm audit[1716]: CRYPTO_KEY_USER pid=1716 uid=0 auid=200045 ses=10 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:22:22:22:22:22:22:22:22:22:22 direction=? spid=1726 suid=200045  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
Comment 25 Lukas Vrabec 2018-06-12 13:21:55 UTC 
*** Bug 1376401 has been marked as a duplicate of this bug. ***