Description of problem: When oddjob-mkhomedir tries to cretate .bash_profile for a remote user, it is not allowed by selinux-policy. May 11 06:46:23 qeos-21.ad.baseos.qe oddjob-mkhomedir[20980]: error creating /home/amy.qe/.bash_profile: Permission denied Version-Release number of selected component (if applicable): selinux-policy-3.14.1-17.fc28 oddjob-mkhomedir-0.34.4-4.fc28 How reproducible: always Steps to Reproduce: 1. Start oddjob-mkhomedir service 2. Confugure the system to use remote accounts (e.g. IPA) 3. Login as a remote user, which has no local home directory. Actual results: type=PROCTITLE msg=audit(05/11/2018 06:46:23.054:1039) : proctitle=mkhomedir type=SYSCALL msg=audit(05/11/2018 06:46:23.054:1039) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ffea9cfe5b0 a2=O_WRONLY|O_CREAT|O_EXCL a3=0x8180 items=0 ppid=5235 pid=20980 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=mkhomedir exe=/usr/libexec/oddjob/mkhomedir subj=system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(05/11/2018 06:46:23.054:1039) : avc: denied { dac_override } for pid=20980 comm=mkhomedir capability=dac_override scontext=system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 tcontext=system_u:system_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 tclass=capability permissive=0
Looks like this was already fixed in selinux-policy-3.14.1-24.fc28. sesearch -A -s oddjob_mkhomedir_t -t oddjob_mkhomedir_t -c capability allow oddjob_mkhomedir_t oddjob_mkhomedir_t:capability { chown dac_override dac_read_search fowner fsetid }; Closing the case. Sorry for the noise.