Red Hat Bugzilla – Bug 435529
SELinux policy package gives bogus warnings
Last modified: 2008-03-03 10:17:44 EST
Description of problem:
package issues warning on install/update for mysql even though the mysql package
is not installed on this machine.
libsemanage.get_home_dirs: mysql homedir /var/lib/mysql or its parent directory
conflicts with a file context already specified in the policy. This usually
indicates an incorrectly defined system account. If it is a system account
please make sure its uid is less than 500 or its login shell is /sbin/nologin.
mysql is a NIS account that is used on Solaris machines. The UID is above 500
and is not under the local admin's control. /sbin/nologin does not exist on our
Solaris 8 servers. The home directory does not exist on the local machine. If
mysql where ever installed on the local machine then the local passwd file would
override the NIS map. In that case, everything would be OK. If mysql were
installed and the NIS account took precedence, then the warning would be legitimate.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create a NIS account for mysql that violates SELinux policy
2. Ensure mysql is not installed locally
3. Install the selinux-policy-targeted package
Warnings on package installation.
No warnings because the package is not installed.
SELinux needs to play nice in large, heterogeneous environments.
Can you change the shell to /bin/false.
SELinux is playing nicely. SELinux is seeing the mysql definition in the
getpwall call as a legitimate user since it has a real shell and a UID > 500.
It is trying to setup correct labeling on the directories and the parent
directory. So when it sees a conflict, it reports the error and continues
without fouling up the labeling. mysql probably should not have a valid shell.