Bug 1492892 – rpc.yppasswdd not able to update password when selinux is disabled, not using /etc/ and MERGE_PASSWD is set to true

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1492892 - rpc.yppasswdd not able to update password when selinux is disabled, not using /etc/ and MERGE_PASSWD is set to true

Summary:	rpc.yppasswdd not able to update password when selinux is disabled, not using...

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ypserv (Show other bugs)
Sub Component:
Version:	7.3
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	rc
Target Release:	---
Assigned To:	Petr Kubat
QA Contact:	Vaclav Danek
Docs Contact:	Jaroslav Klech

URL:
Whiteboard:
Keywords:	Patch

Depends On:
Blocks:	1549615
	Show dependency tree / graph

Reported:	2017-09-18 18:05 EDT by Eugene Keck
Modified:	2018-10-30 03:56 EDT (History)
CC List:	15 users (show)

See Also:
Fixed In Version:	ypserv-2.31-11.el7
Doc Type:	Bug Fix
Doc Text:	`rpc.yppasswdd` now updates passwords also with SELinux disabled Previously, when the SELinux security module was disabled on the system, the `rpc.yppasswdd` update function failed to perform the update action. As a consequence, `rpc.yppasswdd` was unable to update the user password. With this update, `rpc.yppasswdd` checks whether SELinux is enabled on the system before detecting the SELinux context type for the `passwd` files. As a result, `rpc.yppasswdd` now correctly updates passwords in the described scenario.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-10-30 03:56:35 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
proposed patch (6.07 KB, patch) 2018-01-09 03:07 EST, Petr Kubat	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3047	None	None	None	2018-10-30 03:56 EDT

Groups: None (edit)

Description Eugene Keck 2017-09-18 18:05:04 EDT

Description of problem:
rpc.yppasswdd was not able to update the user password when selinux is disabled and passwd and shadow moved to a directory other than /etc/ and merged.

Version-Release number of selected component (if applicable):
ypserv-2.31-10.el7

How reproducible:
Always

Steps to Reproduce:
1. Disable SELinux 
2. Change the maps from /etc/ to /var/yp/files/
3. set MERGE_PASSWD=true

Actual results:
update local (uid=1000) from host 10.12.213.190 failed
Can't get selinux context /var/yp/files/passwd: No data available
Error while changing the NIS password.

Expected results:
update local (uid=1000) from host 10.12.213.190 successful.

Additional info:
If I use the default location of /etc/ or not merge passwd and shadow I was not able to reproduce this selinux check. It was only when I move them out of /etc/ and set MERGE_PASSWD to true that triggered this. This also works if I set selinux to permissive

Comment 3 Joe Pruett 2017-09-25 12:27:03 EDT

seems to be broken with MERGE_PASSWD=false as well.

Comment 4 holger.berger 2017-10-02 10:05:10 EDT

there is a #ifdef check with the latest patch for SELINUX, which is always true in a normal build. I think like that you compile code that relies on enabled SElinux, calling stuff not working when SElinux is disabled at runtime.

Comment 5 Wayne Trzyna 2017-10-06 12:47:36 EDT

Note:  This bug was introduced in ypserv-2.31-10.el7.
A workaround is to replace rpc.yppasswdd with the previous
version from ypserv-2.31-9.el7_3.

Comment 8 Petr Kubat 2018-01-09 03:07 EST

Created attachment 1378915 [details]
proposed patch

Comment 9 Petr Kubat 2018-01-09 03:08:13 EST

yppasswdd was checking the selinux context of passwd and shadow files even when selinux was disabled and failed because of it.

I have added a check for enabled selinux into the original patch introduced in ypserv-2.31-10 so that this failure will no longer happen.

Matej, can you take a quick look at the attached patch?

Comment 10 Matej Mužila 2018-01-23 06:18:39 EST

Hi, I'll look at it.

Comment 12 Bill Kanawyer 2018-02-22 13:35:56 EST

This is still a problem as of 2018-02-22 on RHEL 7.4 and I've just had to downgrade from ypserv 2.31-10.el7 

Getting this patch corrected is mission critical for us as we depend on NIS functionality for several hundred users.

Comment 13 Aish Pushpangadan 2018-02-27 16:25:18 EST

Please let us know on the status change on this bug as we have this same issue.

Comment 19 Matej Mužila 2018-05-09 05:38:13 EDT

Hi Petr,

I'm going to add it to Fedora 28, where the new (with ipv6 support) NIS is present.

Comment 20 Jaroslav Klech 2018-05-24 05:52:25 EDT

Hello Petr,

could you, please, check the doc_text and tell me whether it is still correct content-wise?

thank you

Jaroslav

Comment 21 Petr Kubat 2018-05-24 06:09:12 EDT

Looks good to me

Comment 22 David Sanner 2018-06-20 14:57:23 EDT

I was able to find a work around by setting the selinux contex of yp's passwd and shadow files.

chcon -h system_u:object_r:bin_t:s0  /etc/yp/{shadow,passwd}

Note the location of my NIS files under /etc/yp, your location may vary.

This works with: MERGE_PASSWD=true, RHEL 7.5 and ypserv-2.31-10.el7.x86_64

Workaround only, bug still outstanding for ypserv-2.31-10.el7.x86_64.

Comment 26 errata-xmlrpc 2018-10-30 03:56:35 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3047

Note You need to log in before you can comment on or make changes to this bug.