Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1492892

Summary: rpc.yppasswdd not able to update password when selinux is disabled, not using /etc/ and MERGE_PASSWD is set to true
Product: Red Hat Enterprise Linux 7 Reporter: Eugene Keck <ekeck>
Component: ypservAssignee: Petr Kubat <pkubat>
Status: CLOSED ERRATA QA Contact: Vaclav Danek <vdanek>
Severity: high Docs Contact: Jaroslav Klech <jklech>
Priority: high    
Version: 7.3CC: aish.pushpangadan, asakure, bill, hhorak, holger.berger, jklech, joey, kray, mmuzila, msugaya, ovasik, pkubat, sanner, trzyna, vdanek
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ypserv-2.31-11.el7 Doc Type: Bug Fix
Doc Text:
`rpc.yppasswdd` now updates passwords also with *SELinux* disabled Previously, when the *SELinux* security module was disabled on the system, the `rpc.yppasswdd` update function failed to perform the update action. As a consequence, `rpc.yppasswdd` was unable to update the user password. With this update, `rpc.yppasswdd` checks whether *SELinux* is enabled on the system before detecting the *SELinux* context type for the `passwd` files. As a result, `rpc.yppasswdd` now correctly updates passwords in the described scenario.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 07:56:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1549615    
Attachments:
Description Flags
proposed patch none

Description Eugene Keck 2017-09-18 22:05:04 UTC 
Description of problem:
rpc.yppasswdd was not able to update the user password when selinux is disabled and passwd and shadow moved to a directory other than /etc/ and merged.

Version-Release number of selected component (if applicable):
ypserv-2.31-10.el7

How reproducible:
Always

Steps to Reproduce:
1. Disable SELinux 
2. Change the maps from /etc/ to /var/yp/files/
3. set MERGE_PASSWD=true

Actual results:
update local (uid=1000) from host 10.12.213.190 failed
Can't get selinux context /var/yp/files/passwd: No data available
Error while changing the NIS password.

Expected results:
update local (uid=1000) from host 10.12.213.190 successful.

Additional info:
If I use the default location of /etc/ or not merge passwd and shadow I was not able to reproduce this selinux check. It was only when I move them out of /etc/ and set MERGE_PASSWD to true that triggered this. This also works if I set selinux to permissive
Comment 3 Joe Pruett 2017-09-25 16:27:03 UTC 
seems to be broken with MERGE_PASSWD=false as well.
Comment 4 holger.berger 2017-10-02 14:05:10 UTC 
there is a #ifdef check with the latest patch for SELINUX, which is always true in a normal build. I think like that you compile code that relies on enabled SElinux, calling stuff not working when SElinux is disabled at runtime.
Comment 5 Wayne Trzyna 2017-10-06 16:47:36 UTC 
Note:  This bug was introduced in ypserv-2.31-10.el7.
A workaround is to replace rpc.yppasswdd with the previous
version from ypserv-2.31-9.el7_3.
Comment 8 Petr Kubat 2018-01-09 08:07:30 UTC 
Created attachment 1378915 [details]
proposed patch
Comment 9 Petr Kubat 2018-01-09 08:08:13 UTC 
yppasswdd was checking the selinux context of passwd and shadow files even when selinux was disabled and failed because of it.

I have added a check for enabled selinux into the original patch introduced in ypserv-2.31-10 so that this failure will no longer happen.

Matej, can you take a quick look at the attached patch?
Comment 10 Matej Mužila 2018-01-23 11:18:39 UTC 
Hi, I'll look at it.
Comment 12 Bill Kanawyer 2018-02-22 18:35:56 UTC 
This is still a problem as of 2018-02-22 on RHEL 7.4 and I've just had to downgrade from ypserv 2.31-10.el7 

Getting this patch corrected is mission critical for us as we depend on NIS functionality for several hundred users.
Comment 13 Aish Pushpangadan 2018-02-27 21:25:18 UTC 
Please let us know on the status change on this bug as we have this same issue.
Comment 19 Matej Mužila 2018-05-09 09:38:13 UTC 
Hi Petr,

I'm going to add it to Fedora 28, where the new (with ipv6 support) NIS is present.
Comment 20 Jaroslav Klech 2018-05-24 09:52:25 UTC 
Hello Petr,

could you, please, check the doc_text and tell me whether it is still correct content-wise?

thank you

Jaroslav
Comment 21 Petr Kubat 2018-05-24 10:09:12 UTC 
Looks good to me
Comment 22 David Sanner 2018-06-20 18:57:23 UTC 
I was able to find a work around by setting the selinux contex of yp's passwd and shadow files.

chcon -h system_u:object_r:bin_t:s0  /etc/yp/{shadow,passwd}

Note the location of my NIS files under /etc/yp, your location may vary.

This works with: MERGE_PASSWD=true, RHEL 7.5 and ypserv-2.31-10.el7.x86_64

Workaround only, bug still outstanding for ypserv-2.31-10.el7.x86_64.
Comment 26 errata-xmlrpc 2018-10-30 07:56:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3047