Red Hat Bugzilla – Bug 430195
mis-labeled /var/lib caused by passwd shell
Last modified: 2008-05-01 11:39:23 EDT
Description of problem: Version-Release number of selected component (if applicable): selinux-policy-targeted-3.0.8-76.fc8 How reproducible: Steps to Reproduce: 1.Login and audio control is disabled. 2. 3. Actual results: Expected results: Additional info:
What avc messages are you seeing in /var/log/audit/audit.log?
Created attachment 293039 [details] audit log file I was not able to figure out what was being block related to the Gnome audio control. But in looking through the log it looks like there were other issues; ntpd and hal were also being blocked. Blocking hal may have caused the audio control issue. I can also supply the /var/log/messages file if that will help.
Looks like you have a labeling problem here also. You can relabel this entire machine by executing touch /.autorelabel; reboot
But I did do a touch of /.autorelabel before reboot. Which brings up a point. How does the labeling keep getting screwed up?
I have no idea. Do you have /var/lib as a symbolic link into a /home directory? Or do you have an entry in passwd file with a homedir in /var/lib?
No, /var/lib is not a symbolic link. Yes there are the following passwd file entries with /var/lib as there home directory: rpm:x:37:37:RPM user:/var/lib/rpm:/sbin/nologin hsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin backuppc:x:495:491::/var/lib/BackupPC:/usr/bin/nologin clamav:x:493:487:Clamav database update user:/var/lib/clamav:/sbin/nologin mythtv:x:1004:1004::/var/lib/mythtv:/bin/bash rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
mythtv:x:1004:1004::/var/lib/mythtv:/bin/bash is causing the problem. Change its shell to /sbin/nologin Then run # semodule -B # restorecon -R -v /var/lib This should fix the labeling. semodule is trying to figure out where real home directories are located, and then labeling them correctly. This homedir is causing a problem since it sets the labeling on /var/lib to be a homedir. The tool should have cought this and printed an error. This is a regression and I will look into it. The tools figure out what is a real homedir by looking at the UID < 500 or a invalid login shell.
Dan, I did another touch /.autorelabel and reboot but still get messed up labels. The issue seems to be tied to the passwd file entries above. As you can see I did not chose the location for the home directories. Many daemons launched as root now use the passwd file to determine what user to run as. They have a home directory which many never use which could be /dev/null. Others like msql and clamav do use there home directories. This get back to one of the long standing issues. Where are home directories physically located are they a normal user home directory or a service daemon home directory, how and what to label.
Dan, I will try the other steps tonight of: # semodule -B # restorecon -R -v /var/lib If you look at bug report 430194 it seems to be the same issue involving setroubleshoot with /var/lib/rpm/Packages.
Yes any service that uses a homedir but has a UID < 500 will be ignored. The problem is services with UID > 512 and a login shell. So if you change their login shells to /sbin/nologin or /bin/false. SELinux will setup the correct labeling.
Changing the shell and relabeling has fixed most issues. I did do a touch of /.autorelabel as the home directories got mislabeled by doing the above steps. There is another label issue and setroubleshoot does not suggest a fix for it. I created the directories /export/home where the real home directory storage get mounted at boot time. They are currently labeled default_t which seems to be an issue. What is the fix for this one?
# semanage fcontext -a -t home_root_t /export # restorecon /export Should fix it.
It did fix it. Solving one label/context issue just seems to lead to the next one.