Bug 590677 - Permision denied when setting a disable_user_list
Permision denied when setting a disable_user_list
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.0
All Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-10 09:17 EDT by Tomas Pelka
Modified: 2012-10-15 11:13 EDT (History)
1 user (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-15.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-02 15:51:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit.log (1.79 KB, application/octet-stream)
2010-05-11 03:18 EDT, Tomas Pelka
no flags Details

  None (edit)
Description Tomas Pelka 2010-05-10 09:17:02 EDT
Description of problem:
When I'm setting gdm's disable_user_list than always after entering root password I'll get:

Could not set value. Error was:
Failed: Could not make directory `/home/tpelka/.gconf': Permission denied

ls -l /home/tpelka/.gconf
total 12
drwx------. 30 tpelka tpelka 4096 May  6 09:17 apps
drwx------.  3 tpelka tpelka 4096 Feb  5 08:39 desktop
drwx------.  3 tpelka tpelka 4096 Feb  5 15:47 system

ls -ld /home/tpelka/.gconf
drwx------. 5 tpelka tpelka 4096 May 10 15:02 /home/tpelka/.gconf

ls -lZ /home/tpelka/.gconf
drwx------. tpelka tpelka unconfined_u:object_r:gconf_home_t:s0 apps
drwx------. tpelka tpelka unconfined_u:object_r:gconf_home_t:s0 desktop
drwx------. tpelka tpelka unconfined_u:object_r:gconf_home_t:s0 system

ls -ldZ /home/tpelka/.gconf
drwx------. tpelka tpelka unconfined_u:object_r:gconf_home_t:s0 /home/tpelka/.gconf


This seems to be not correct, after adding right root password gconf actually runs with root privileges, right?    

Version-Release number of selected component (if applicable):
gconf-editor-2.28.0-2.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Run gconf-editor
2. apps -> gdm -> simple-greeter
3. check "disable_user_list"
4. right click on it again and click "Set as Default" 
5. enter root password into dialog and press 'Enter'
  
Actual results:
Could not set value. Error was:
Failed: Could not make directory `/home/tpelka/.gconf': Permission denied

Expected results:
No error.

Additional info:
Comment 2 Ray Strode [halfline] 2010-05-10 09:35:45 EDT
1) does booting with enforcing=0 in grub.conf on the kernel command line "fix" this?

2) is /home nfs mounted?
Comment 3 Tomas Pelka 2010-05-10 10:09:49 EDT
(In reply to comment #2)
> 1) does booting with enforcing=0 in grub.conf on the kernel command line "fix"
> this?

Seems yes, no more error.

> 
> 2) is /home nfs mounted?    

No it is local.
Comment 4 Ray Strode [halfline] 2010-05-10 10:28:26 EDT
Alright, probably just a hole in the selinux policy since this feature isn't used much.  Reassigning...
Comment 5 RHEL Product and Program Management 2010-05-10 10:32:22 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 6 Daniel Walsh 2010-05-10 10:51:24 EDT
Tomas do you have any AVC messages?
Comment 7 Daniel Walsh 2010-05-10 10:59:54 EDT
Fixed in selinux-policy-3.7.19-15.fc13.noarch
Comment 8 Tomas Pelka 2010-05-11 03:16:11 EDT
(In reply to comment #6)
> Tomas do you have any AVC messages?    

If you still need AVC, here it is:

type=USER_AUTH msg=audit(1273562104.807:67): user pid=4317 uid=501 auid=501 ses=1 subj=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/usr/libexec/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
type=USER_ACCT msg=audit(1273562104.809:68): user pid=4317 uid=501 auid=501 ses=1 subj=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/libexec/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1273562104.817:69): avc:  denied  { search } for  pid=4316 comm="gconf-defaults-" name="tpelka" dev=sda6 ino=6832129 scontext=system_u:system_r:gconfdefaultsm_t:s0-s0:c0.c1023 tcontext=user_u:object_r:samba_share_t:s0 tclass=dir
type=SYSCALL msg=audit(1273562104.817:69): arch=c000003e syscall=4 success=no exit=-13 a0=260f700 a1=7fffaa995bf0 a2=7fffaa995bf0 a3=1 items=0 ppid=1 pid=4316 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gconf-defaults-" exe="/usr/libexec/gconf-defaults-mechanism" subj=system_u:system_r:gconfdefaultsm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1273562104.817:70): avc:  denied  { search } for  pid=4316 comm="gconf-defaults-" name="tpelka" dev=sda6 ino=6832129 scontext=system_u:system_r:gconfdefaultsm_t:s0-s0:c0.c1023 tcontext=user_u:object_r:samba_share_t:s0 tclass=dir
type=SYSCALL msg=audit(1273562104.817:70): arch=c000003e syscall=83 success=no exit=-13 a0=260f700 a1=1c0 a2=ffffffffffffffa8 a3=7fffaa995950 items=0 ppid=1 pid=4316 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gconf-defaults-" exe="/usr/libexec/gconf-defaults-mechanism" subj=system_u:system_r:gconfdefaultsm_t:s0-s0:c0.c1023 key=(null)
Comment 9 Tomas Pelka 2010-05-11 03:18:57 EDT
Created attachment 413055 [details]
audit.log

Because of wrong format of AVC (only cut&paste) attaching a audit log with message mentioned in c8.
Comment 10 Daniel Walsh 2010-05-11 10:45:40 EDT
Tomas this looks like you have set the label samba_share_t in your homedir?


If you want to share your homedir via samba you need to turn on the boolean

samba_enable_home_dirs

Not set the context of the home dir to samba_share_t.
Comment 11 Tomas Pelka 2010-05-12 10:59:29 EDT
Confirmed, fixfiles restore / fix this issue.
Comment 14 releng-rhel@redhat.com 2010-07-02 15:51:32 EDT
Red Hat Enterprise Linux Beta 2 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.