Bug 239079 - [LSPP] After running useradd -Z seusers and the policy is labeled incorrectly
[LSPP] After running useradd -Z seusers and the policy is labeled incorrectly
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
All Linux
medium Severity urgent
: ---
: ---
Assigned To: Daniel Walsh
: OtherQA
Depends On:
Blocks: RHEL5LSPPCertTracker
  Show dependency treegraph
 
Reported: 2007-05-04 15:21 EDT by Matt Anderson
Modified: 2009-06-19 12:58 EDT (History)
7 users (show)

See Also:
Fixed In Version: RHBA-2007-0544
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-07 11:39:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matt Anderson 2007-05-04 15:21:11 EDT
Description of problem:
When using useradd -Z the context of seusers and the policy file are set to
SystemLow.

# fixfiles check /etc/selinux/
/sbin/restorecon reset /etc/selinux/mls/seusers context
staff_u:object_r:selinux_config_t:s0->system_u:object_r:selinux_config_t:s15:c0.c1023
/sbin/restorecon reset /etc/selinux/mls/policy/policy.21 context
staff_u:object_r:policy_config_t:s0->system_u:object_r:policy_config_t:s15:c0.c1023


Version-Release number of selected component (if applicable):
shadow-utils-4.0.17-12.el5
selinux-policy-2.4.6-67.el5

How reproducible:
Everytime, even when selecting what would be the default SELinux user.

Steps to Reproduce:
1. useradd -Z user_u alice
2. fixfiles check /etc/selinux
  
Actual results:
The policy file and the seusers file gets relabeled to SystemLow from SystemHigh

Expected results:
The file should remain at the correct level.

Additional info:
It seems that you can only run useradd from SystemLow, otherwise you are unable
to lock the password file

[root/sysadm_r/SystemHigh@cert-i5 root]# useradd -Z staff_u -n bob
useradd: unable to lock password file

As a result these trusted databases are set to SystemLow.
Comment 1 RHEL Product and Program Management 2007-05-07 08:43:51 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 3 Daniel Walsh 2007-05-07 10:14:49 EDT
Fixed in selinux-policy-2.4.6-69
Comment 4 Klaus Weidner 2007-05-07 13:10:23 EDT
This bug is not critical as far as LSPP compliance is concerned - the seusers
and policy files do not contain any information that specifically needs to be at
SystemHigh. As long as the changed level doesn't actually break applications
it's not urgent to fix.
Comment 5 Matt Anderson 2007-05-07 13:43:33 EDT
The changed level does break applications.

Once the files are relabeled SystemHigh subsequent operations on them fail,
useradd -Z, semanage, anything else that needs access to that database.

This can be worked around by running `fixfiles restore /etc/selinux` after each
time the database gets relabel to the wrong level, but otherwise the second time
you run anything it will fail due to the MLS level being incorrect.
Comment 6 Linda Knippers 2007-05-07 15:43:34 EDT
What was the policy change?  Was it to make seusers SystemLow by default?
If the passwd file is SystemLow then it seems seusers could be as well.
Any idea why running semanage to update seusers doesn't have the same
issue?
Comment 7 Daniel Walsh 2007-05-15 13:25:33 EDT
Turns out this is a problem with semanage also. When updating the system. 
semanage will lower the sensitivity of the seusers and policy.21 file

So this is really a libsemanage problem.  Reassiging
Comment 8 Daniel Walsh 2007-05-17 13:54:50 EDT
We agreed to change the sensitivity level of seusers and policy.21 to SystemLow
on the phone.  Fixed in selinux-policy-2.4.6-71
Comment 10 Eduard Benes 2007-08-21 11:25:11 EDT
A fix for this issue has been included in the packages contained in the beta
(RHN channel) or most recent snapshot (partners.redhat.com) for RHEL5.1.  Please
verify that your issue is fixed.

After you (Red Hat Partner) have verified that this issue has been addressed,
please perform the following:
1) Change the *status* of this bug to VERIFIED.
2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified)

If this issue is not fixed, please add a comment describing the most recent
symptoms of the problem you are having and change the status of the bug to 
ASSIGNED.
Comment 13 errata-xmlrpc 2007-11-07 11:39:36 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0544.html

Note You need to log in before you can comment on or make changes to this bug.