RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1811310 - SE policies fail oddjob-mkhomedir when /home via autofs
Summary: SE policies fail oddjob-mkhomedir when /home via autofs
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.0
Hardware: x86_64
OS: Linux
medium
urgent
Target Milestone: rc
: 8.0
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-07 12:16 UTC by lejeczek
Modified: 2022-01-05 13:43 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-09-07 07:27:05 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description lejeczek 2020-03-07 12:16:16 UTC 
Description of problem:

...
oddjob-mkhomedir[2215]: error creating /home/aeo2: Permission denied
...

Above occurs when autofs mounts a gluster vol under /home


$ ausearch -ts 12:10 | audit2allow 


#============= automount_t ==============
allow automount_t mount_t:process { noatsecure rlimitinh siginh };

#============= oddjob_t ==============
allow oddjob_t oddjob_mkhomedir_t:process { noatsecure rlimitinh siginh };

#============= sssd_t ==============
allow sssd_t sssd_selinux_manager_t:process { noatsecure rlimitinh siginh };


And probably more. Easy to reproduce.
Would be fantastic to have booleans for these!
many thanks, L

Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-20.el8.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Zdenek Pytela 2020-03-09 08:06:18 UTC 
Thank you for reporting the issue.

The AVC denials reported are usually dontaudited, supposedly you rebuilt selinux-policy on the system with dontaudit rules disabled.

Does the same issue appear when selinux is in permissive mode? Are there any AVC denials reported different to the ones mentioned above?
Comment 2 lejeczek 2020-03-10 08:29:47 UTC 
Yes, with -DB.

It does, actually it's weird in my opinion.

I have this:
- in /etc/auto.master.d/off-LOCALHOST.autofs
/home.foreign /etc/auto.master.d/foreign.users.home.off-LOCALHOST

I copied fcontext from /home to /home.foreign:
drwxr-xr-x. 2 root root system_u:object_r:home_root_t:s0 6 May 11  2019 /home
drwxr-xr-x. 2 root root system_u:object_r:home_root_t:s0 6 Mar  7 12:08 /home.foreign

- in /etc/auto.master.d/foreign.users.home.off-LOCALHOST
* -fstype=glusterfs,rw,acl 10.5.8.97,10.5.8.65,10.5.8.49:/FOREING-USER-HOME/&

And with permissive=1 & autofs mounted I cannot even mkdir in /home.foreign (so it's not just oddjob)
$ mount
10.5.8.97:FOREING-USER-HOME/eo2 on /home.foreign/eo2 type fuse.glusterfs (rw,relatime,user_id=0,group_id=0,allow_other,max_read=131072)

And weir part is - when I mount it under.. lets say /0-DATA/FOREIGN then the problem does not occur.

And even with -DB not much gets reported.

#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t self:capability net_admin

After having the following module in the policy already.

module oddjob-autofs 1.0;

require {
	type sssd_selinux_manager_t;
	type oddjob_mkhomedir_t;
	type sssd_t;
	type oddjob_t;
	type mount_t;
	type automount_t;
	class process { noatsecure rlimitinh siginh };
	class capability net_admin;
}

#============= automount_t ==============

#!!!! This avc is allowed in the current policy
allow automount_t mount_t:process { noatsecure rlimitinh siginh };

#!!!! This avc is allowed in the current policy
allow automount_t self:capability net_admin;

#============= oddjob_t ==============

#!!!! This avc is allowed in the current policy
allow oddjob_t oddjob_mkhomedir_t:process { noatsecure rlimitinh siginh };

#============= sssd_t ==============

#!!!! This avc is allowed in the current policy
allow sssd_t sssd_selinux_manager_t:process { noatsecure rlimitinh siginh };
Comment 3 lejeczek 2020-03-10 08:48:22 UTC 
Centos 7.6 with selinux-policy-3.13.1-252.el7_7.6.noarch is free from this problem.
Comment 6 lejeczek 2021-08-16 13:45:41 UTC 
ok
Comment 7 RHEL Program Management 2021-09-07 07:27:05 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Note You need to log in before you can comment on or make changes to this bug.