RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1492892 - rpc.yppasswdd not able to update password when selinux is disabled, not using /etc/ and MERGE_PASSWD is set to true
Summary: rpc.yppasswdd not able to update password when selinux is disabled, not using...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ypserv
Version: 7.3
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Petr Kubat
QA Contact: Vaclav Danek
Jaroslav Klech
URL:
Whiteboard:
Depends On:
Blocks: 1549615
TreeView+ depends on / blocked
 
Reported: 2017-09-18 22:05 UTC by Eugene Keck
Modified: 2021-12-10 15:16 UTC (History)
15 users (show)

Fixed In Version: ypserv-2.31-11.el7
Doc Type: Bug Fix
Doc Text:
`rpc.yppasswdd` now updates passwords also with *SELinux* disabled Previously, when the *SELinux* security module was disabled on the system, the `rpc.yppasswdd` update function failed to perform the update action. As a consequence, `rpc.yppasswdd` was unable to update the user password. With this update, `rpc.yppasswdd` checks whether *SELinux* is enabled on the system before detecting the *SELinux* context type for the `passwd` files. As a result, `rpc.yppasswdd` now correctly updates passwords in the described scenario.
Clone Of:
Environment:
Last Closed: 2018-10-30 07:56:35 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
proposed patch (6.07 KB, patch)
2018-01-09 08:07 UTC, Petr Kubat 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3047 0 None None None 2018-10-30 07:56:47 UTC

Description Eugene Keck 2017-09-18 22:05:04 UTC 
Description of problem:
rpc.yppasswdd was not able to update the user password when selinux is disabled and passwd and shadow moved to a directory other than /etc/ and merged.

Version-Release number of selected component (if applicable):
ypserv-2.31-10.el7

How reproducible:
Always

Steps to Reproduce:
1. Disable SELinux 
2. Change the maps from /etc/ to /var/yp/files/
3. set MERGE_PASSWD=true

Actual results:
update local (uid=1000) from host 10.12.213.190 failed
Can't get selinux context /var/yp/files/passwd: No data available
Error while changing the NIS password.

Expected results:
update local (uid=1000) from host 10.12.213.190 successful.

Additional info:
If I use the default location of /etc/ or not merge passwd and shadow I was not able to reproduce this selinux check. It was only when I move them out of /etc/ and set MERGE_PASSWD to true that triggered this. This also works if I set selinux to permissive
Comment 3 Joe Pruett 2017-09-25 16:27:03 UTC 
seems to be broken with MERGE_PASSWD=false as well.
Comment 4 holger.berger 2017-10-02 14:05:10 UTC 
there is a #ifdef check with the latest patch for SELINUX, which is always true in a normal build. I think like that you compile code that relies on enabled SElinux, calling stuff not working when SElinux is disabled at runtime.
Comment 5 Wayne Trzyna 2017-10-06 16:47:36 UTC 
Note:  This bug was introduced in ypserv-2.31-10.el7.
A workaround is to replace rpc.yppasswdd with the previous
version from ypserv-2.31-9.el7_3.
Comment 8 Petr Kubat 2018-01-09 08:07:30 UTC 
Created attachment 1378915 [details]
proposed patch
Comment 9 Petr Kubat 2018-01-09 08:08:13 UTC 
yppasswdd was checking the selinux context of passwd and shadow files even when selinux was disabled and failed because of it.

I have added a check for enabled selinux into the original patch introduced in ypserv-2.31-10 so that this failure will no longer happen.

Matej, can you take a quick look at the attached patch?
Comment 10 Matej Mužila 2018-01-23 11:18:39 UTC 
Hi, I'll look at it.
Comment 12 Bill Kanawyer 2018-02-22 18:35:56 UTC 
This is still a problem as of 2018-02-22 on RHEL 7.4 and I've just had to downgrade from ypserv 2.31-10.el7 

Getting this patch corrected is mission critical for us as we depend on NIS functionality for several hundred users.
Comment 13 Aish Pushpangadan 2018-02-27 21:25:18 UTC 
Please let us know on the status change on this bug as we have this same issue.
Comment 19 Matej Mužila 2018-05-09 09:38:13 UTC 
Hi Petr,

I'm going to add it to Fedora 28, where the new (with ipv6 support) NIS is present.
Comment 20 Jaroslav Klech 2018-05-24 09:52:25 UTC 
Hello Petr,

could you, please, check the doc_text and tell me whether it is still correct content-wise?

thank you

Jaroslav
Comment 21 Petr Kubat 2018-05-24 10:09:12 UTC 
Looks good to me
Comment 22 David Sanner 2018-06-20 18:57:23 UTC 
I was able to find a work around by setting the selinux contex of yp's passwd and shadow files.

chcon -h system_u:object_r:bin_t:s0  /etc/yp/{shadow,passwd}

Note the location of my NIS files under /etc/yp, your location may vary.

This works with: MERGE_PASSWD=true, RHEL 7.5 and ypserv-2.31-10.el7.x86_64

Workaround only, bug still outstanding for ypserv-2.31-10.el7.x86_64.
Comment 26 errata-xmlrpc 2018-10-30 07:56:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3047
Note You need to log in before you can comment on or make changes to this bug.