Bug 435529 - SELinux policy package gives bogus warnings
SELinux policy package gives bogus warnings
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2008-02-29 19:43 EST by Rob Riggs
Modified: 2008-03-03 10:17 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-03-03 10:17:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Rob Riggs 2008-02-29 19:43:36 EST
Description of problem:
package issues warning on install/update for mysql even though the mysql package
is not installed on this machine.

libsemanage.get_home_dirs: mysql homedir /var/lib/mysql or its parent directory
conflicts with a file context already specified in the policy.  This usually
indicates an incorrectly defined system account.  If it is a system account
please make sure its uid is less than 500 or its login shell is /sbin/nologin.

mysql is a NIS account that is used on Solaris machines.  The UID is above 500
and is not under the local admin's control.  /sbin/nologin does not exist on our
Solaris 8 servers.  The home directory does not exist on the local machine.  If
mysql where ever installed on the local machine then the local passwd file would
override the NIS map.  In that case, everything would be OK.  If mysql were
installed and the NIS account took precedence, then the warning would be legitimate.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create a NIS account for mysql that violates SELinux policy
2. Ensure mysql is not installed locally
3. Install the selinux-policy-targeted package
Actual results:
Warnings on package installation.

Expected results:
No warnings because the package is not installed.

Additional info:
SELinux needs to play nice in large, heterogeneous environments.
Comment 1 Daniel Walsh 2008-03-03 10:17:44 EST
Can you change the shell to /bin/false.

SELinux is playing nicely.   SELinux is seeing the mysql definition in the
getpwall call as a legitimate user since it has a real shell and a UID > 500. 
It is trying to setup correct labeling on the directories and the parent
directory.  So when it sees a conflict, it reports the error and continues
without fouling up the labeling.  mysql probably should not have a valid shell.

Note You need to log in before you can comment on or make changes to this bug.