Bug 1811310 - SE policies fail oddjob-mkhomedir when /home via autofs [NEEDINFO]
Summary: SE policies fail oddjob-mkhomedir when /home via autofs
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.0
Hardware: x86_64
OS: Linux
medium
urgent
Target Milestone: rc
: 8.0
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-07 12:16 UTC by lejeczek
Modified: 2021-03-02 15:06 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
zpytela: needinfo? (peljasz)


Attachments (Terms of Use)

Description lejeczek 2020-03-07 12:16:16 UTC
Description of problem:

...
oddjob-mkhomedir[2215]: error creating /home/aeo2: Permission denied
...

Above occurs when autofs mounts a gluster vol under /home


$ ausearch -ts 12:10 | audit2allow 


#============= automount_t ==============
allow automount_t mount_t:process { noatsecure rlimitinh siginh };

#============= oddjob_t ==============
allow oddjob_t oddjob_mkhomedir_t:process { noatsecure rlimitinh siginh };

#============= sssd_t ==============
allow sssd_t sssd_selinux_manager_t:process { noatsecure rlimitinh siginh };


And probably more. Easy to reproduce.
Would be fantastic to have booleans for these!
many thanks, L

Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-20.el8.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Zdenek Pytela 2020-03-09 08:06:18 UTC
Thank you for reporting the issue.

The AVC denials reported are usually dontaudited, supposedly you rebuilt selinux-policy on the system with dontaudit rules disabled.

Does the same issue appear when selinux is in permissive mode? Are there any AVC denials reported different to the ones mentioned above?

Comment 2 lejeczek 2020-03-10 08:29:47 UTC
Yes, with -DB.

It does, actually it's weird in my opinion.

I have this:
- in /etc/auto.master.d/off-LOCALHOST.autofs
/home.foreign /etc/auto.master.d/foreign.users.home.off-LOCALHOST

I copied fcontext from /home to /home.foreign:
drwxr-xr-x. 2 root root system_u:object_r:home_root_t:s0 6 May 11  2019 /home
drwxr-xr-x. 2 root root system_u:object_r:home_root_t:s0 6 Mar  7 12:08 /home.foreign

- in /etc/auto.master.d/foreign.users.home.off-LOCALHOST
* -fstype=glusterfs,rw,acl 10.5.8.97,10.5.8.65,10.5.8.49:/FOREING-USER-HOME/&

And with permissive=1 & autofs mounted I cannot even mkdir in /home.foreign (so it's not just oddjob)
$ mount
10.5.8.97:FOREING-USER-HOME/eo2 on /home.foreign/eo2 type fuse.glusterfs (rw,relatime,user_id=0,group_id=0,allow_other,max_read=131072)

And weir part is - when I mount it under.. lets say /0-DATA/FOREIGN then the problem does not occur.

And even with -DB not much gets reported.

#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t self:capability net_admin

After having the following module in the policy already.

module oddjob-autofs 1.0;

require {
	type sssd_selinux_manager_t;
	type oddjob_mkhomedir_t;
	type sssd_t;
	type oddjob_t;
	type mount_t;
	type automount_t;
	class process { noatsecure rlimitinh siginh };
	class capability net_admin;
}

#============= automount_t ==============

#!!!! This avc is allowed in the current policy
allow automount_t mount_t:process { noatsecure rlimitinh siginh };

#!!!! This avc is allowed in the current policy
allow automount_t self:capability net_admin;

#============= oddjob_t ==============

#!!!! This avc is allowed in the current policy
allow oddjob_t oddjob_mkhomedir_t:process { noatsecure rlimitinh siginh };

#============= sssd_t ==============

#!!!! This avc is allowed in the current policy
allow sssd_t sssd_selinux_manager_t:process { noatsecure rlimitinh siginh };

Comment 3 lejeczek 2020-03-10 08:48:22 UTC
Centos 7.6 with selinux-policy-3.13.1-252.el7_7.6.noarch is free from this problem.


Note You need to log in before you can comment on or make changes to this bug.