Bug 430195 - mis-labeled /var/lib caused by passwd shell
mis-labeled /var/lib caused by passwd shell
Product: Fedora
Classification: Fedora
Component: libsemanage (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
: Reopened
Depends On:
Blocks: 430192 430194
  Show dependency treegraph
Reported: 2008-01-24 23:21 EST by David Highley
Modified: 2008-05-01 11:39 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-02-02 11:53:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
audit log file (1.05 MB, text/plain)
2008-01-25 23:51 EST, David Highley
no flags Details

  None (edit)
Description David Highley 2008-01-24 23:21:41 EST
Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Login and audio control is disabled.
Actual results:

Expected results:

Additional info:
Comment 1 Daniel Walsh 2008-01-25 09:50:48 EST
What avc messages are you seeing in /var/log/audit/audit.log?
Comment 2 David Highley 2008-01-25 23:51:44 EST
Created attachment 293039 [details]
audit log file

I was not able to figure out what was being block related to the Gnome audio
control. But in looking through the log it looks like there were other issues;
ntpd and hal were also being blocked. Blocking hal may have caused the audio
control issue. I can also supply the /var/log/messages file if that will help.
Comment 3 Daniel Walsh 2008-01-28 14:57:47 EST
Looks like you have a labeling problem here also.

You can relabel this entire machine by executing

touch /.autorelabel; reboot

Comment 4 David Highley 2008-01-28 23:17:31 EST
But I did do a touch of /.autorelabel before reboot. Which brings up a point.
How does the labeling keep getting screwed up?
Comment 5 Daniel Walsh 2008-01-29 09:32:40 EST
I have no idea.  Do you have /var/lib as a symbolic link into  a /home
directory?  Or do you have an entry in passwd file with a homedir in /var/lib?
Comment 6 David Highley 2008-01-29 09:48:23 EST
No, /var/lib is not a symbolic link. Yes there are the following passwd file
entries with /var/lib as there home directory:
rpm:x:37:37:RPM user:/var/lib/rpm:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
clamav:x:493:487:Clamav database update user:/var/lib/clamav:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
Comment 7 Daniel Walsh 2008-01-29 09:58:06 EST

is causing the problem.

Change its shell to /sbin/nologin
Then run

# semodule -B
# restorecon -R -v /var/lib

This should fix the labeling.

semodule is trying to figure out where real home directories are located, and
then labeling them correctly.  This homedir is causing a problem since it sets
the labeling on /var/lib to be a homedir.  The tool should have cought this and
printed an error.  This is a regression and I will look into it.

The tools figure out what is a real homedir by looking at the UID < 500 or a
invalid login shell.
Comment 8 David Highley 2008-01-29 10:14:34 EST
Dan, I did another touch /.autorelabel and reboot but still get messed up
labels. The issue seems to be tied to the passwd file entries above. As you can
see I did not chose the location for the home directories. Many daemons launched
as root now use the passwd file to determine what user to run as. They have a
home directory which many never use which could be /dev/null. Others like msql
and clamav do use there home directories. This get back to one of the long
standing issues. Where are home directories physically located are they a normal
user home directory or a service daemon home directory, how and what to label.
Comment 9 David Highley 2008-01-29 10:18:34 EST
Dan, I will try the other steps tonight of:
# semodule -B
# restorecon -R -v /var/lib

If you look at bug report 430194 it seems to be the same issue involving
setroubleshoot with /var/lib/rpm/Packages.
Comment 10 Daniel Walsh 2008-01-29 10:44:57 EST
Yes any service that uses a homedir but has a UID < 500 will be ignored.  The
problem is services with UID > 512 and a login shell.  So if you change their
login shells to /sbin/nologin or /bin/false.  SELinux will setup the correct

Comment 11 David Highley 2008-01-30 10:21:13 EST
Changing the shell and relabeling has fixed most issues. I did do a touch of
/.autorelabel as the home directories got mislabeled by doing the above steps.
There is another label issue and setroubleshoot does not suggest a fix for it. I
created the directories /export/home where the real home directory storage get
mounted at boot time. They are currently labeled default_t which seems to be an
issue. What is the fix for this one?
Comment 12 Daniel Walsh 2008-01-31 11:52:01 EST
# semanage fcontext -a -t home_root_t /export
# restorecon /export

Should fix it.

Comment 13 David Highley 2008-02-02 11:53:39 EST
It did fix it. Solving one label/context issue just seems to lead to the next one. 

Note You need to log in before you can comment on or make changes to this bug.