2184203 – SELinux is preventing userdel from 'rmdir' accesses on the directory overlay.

Bug 2184203 - SELinux is preventing userdel from 'rmdir' accesses on the directory overlay.

Summary: SELinux is preventing userdel from 'rmdir' accesses on the directory overlay.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	container-selinux
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:85227ee9893f2afa72e2e64a5e2...
Duplicates (1):	2184204 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-04-03 22:59 UTC by Mikhail
Modified:	2023-05-05 14:21 UTC (History)
CC List:	14 users (show)
Fixed In Version:	container-selinux-2.211.1-1.fc38
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-05-05 14:21:00 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: description (1.96 KB, text/plain) 2023-04-03 22:59 UTC, Mikhail	no flags	Details
File: os_info (770 bytes, text/plain) 2023-04-03 22:59 UTC, Mikhail	no flags	Details
View All

Description Mikhail 2023-04-03 22:59:02 UTC

Description of problem:
Delete linux user
SELinux is preventing userdel from 'rmdir' accesses on the directory overlay.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that userdel should be allowed rmdir access on the overlay directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'userdel' --raw | audit2allow -M my-userdel
# semodule -X 300 -i my-userdel.pp

Additional Information:
Source Context                system_u:system_r:useradd_t:s0
Target Context                unconfined_u:object_r:container_ro_file_t:s0
Target Objects                overlay [ dir ]
Source                        userdel
Source Path                   userdel
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.9-1.fc39.noarch
Local Policy RPM              selinux-policy-targeted-38.9-1.fc39.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 6.3.0-
                              0.rc4.20230331git62bad54b26db.39.fc39.x86_64+debug
                              #1 SMP PREEMPT_DYNAMIC Sat Apr 1 01:48:34 +05 2023
                              x86_64
Alert Count                   1
First Seen                    2023-04-04 03:58:05 +05
Last Seen                     2023-04-04 03:58:05 +05
Local ID                      92c500cd-2c88-4271-932d-eb5dbd2819f4

Raw Audit Messages
type=AVC msg=audit(1680562685.733:1154): avc:  denied  { rmdir } for  pid=687064 comm="userdel" name="overlay" dev="nvme1n1" ino=84448506 scontext=system_u:system_r:useradd_t:s0 tcontext=unconfined_u:object_r:container_ro_file_t:s0 tclass=dir permissive=1


Hash: userdel,useradd_t,container_ro_file_t,dir,rmdir

Version-Release number of selected component:
selinux-policy-targeted-38.9-1.fc39.noarch

Additional info:
reporter:       libreport-2.17.9
reason:         SELinux is preventing userdel from 'rmdir' accesses on the directory overlay.
package:        selinux-policy-targeted-38.9-1.fc39.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.3.0-0.rc4.20230331git62bad54b26db.39.fc39.x86_64+debug
comment:        Delete linux user
component:      selinux-policy

Comment 1 Mikhail 2023-04-03 22:59:04 UTC

Created attachment 1955620 [details]
File: description

Comment 2 Mikhail 2023-04-03 22:59:06 UTC

Created attachment 1955621 [details]
File: os_info

Comment 3 Daniel Walsh 2023-04-04 18:07:24 UTC

What command are you running when you get this error?

Comment 4 Daniel Walsh 2023-04-04 18:08:39 UTC

*** Bug 2184204 has been marked as a duplicate of this bug. ***

Comment 5 Mikhail 2023-04-04 19:34:24 UTC

(In reply to Daniel Walsh from comment #3)
> What command are you running when you get this error?

I am delete Linux user by gnome control center.

Comment 6 Daniel Walsh 2023-04-04 20:06:41 UTC

Then the question is how did the container_ro_file_t label get in place?

type=AVC msg=audit(1680562685.733:1154): avc:  denied  { rmdir } for  pid=687064 comm="userdel" name="overlay" dev="nvme1n1" ino=84448506 scontext=system_u:system_r:useradd_t:s0 tcontext=unconfined_u:object_r:container_ro_file_t:s0 tclass=dir permissive=1

Is this useradd remving an entire home directory?

I think the fix to this would be to add user_home_type labels to the container labels.

Comment 7 Daniel Walsh 2023-04-04 20:14:40 UTC

Fixed in container-selinux-2.210.0

Comment 8 Fedora Update System 2023-04-24 17:15:20 UTC

FEDORA-2023-06ac069828 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-06ac069828

Comment 9 Fedora Update System 2023-04-24 17:15:48 UTC

FEDORA-2023-c2d3c3af89 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-c2d3c3af89

Comment 10 Fedora Update System 2023-04-25 03:21:07 UTC

FEDORA-2023-06ac069828 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-06ac069828`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-06ac069828

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2023-04-25 03:26:47 UTC

FEDORA-2023-c2d3c3af89 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-c2d3c3af89`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-c2d3c3af89

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 12 Fedora Update System 2023-05-03 01:23:42 UTC

FEDORA-2023-f0fe2923f2 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-f0fe2923f2`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-f0fe2923f2

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 13 Fedora Update System 2023-05-05 14:21:00 UTC

FEDORA-2023-f0fe2923f2 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.