Bug 621365 - oddjob-mkhomedir does not create homedir w/ NIS password
oddjob-mkhomedir does not create homedir w/ NIS password
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.0
All Linux
low Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
: RHELNAK
Depends On: 625455
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-04 16:38 EDT by Rik van Riel
Modified: 2012-10-15 11:10 EDT (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-36.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-11-10 16:36:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rik van Riel 2010-08-04 16:38:19 EDT
Description of problem:

I selected "create new home directory on login" for a virtual test machine. I use this together with NIS passwords here at home.

On logging in, no home directory gets created, and I find the following oddjob-mkhomedir error message in /var/log/messages:

Aug  4 16:28:29 doriath oddjob-mkhomedir[2062]: could not look up location of home directory for riel

# ypcat passwd
riel:<snip>:500:500:Rik van Riel:/home/riel:/bin/bash

Version-Release number of selected component (if applicable):

oddjob-mkhomedir-0.30-1.el6.x86_64

Steps to Reproduce:
1. install RHEL6
2. select NIS passwords
3. select "create new home directory on login"
4. try to log in
  
Actual results:

No home directory is created.

Expected results:

Home directory is created.
Comment 1 Rik van Riel 2010-08-04 16:39:56 EDT
# ypmatch riel passwd
riel:<snip>:500:500:Rik van Riel:/home/riel:/bin/bash
Comment 3 Nalin Dahyabhai 2010-08-04 16:56:23 EDT
A privileged NIS client is expected to issue requests from a source port below
1024 as a way of letting an NIS server know that it's privileged.  This can be
used for access control at the server.

Dan, based on our out-of-band conversation, I think we need to be letting
confined processes which are allowed to be NIS clients bind to ports in this
range (and connect to them, as that's usually where the servers are).

For reference, the dontaudit denials I get when I turn on logging for them:

type=AVC msg=audit(1280954860.258:50): avc:  denied  { name_connect } for 
pid=7464 comm="mkhomedir" dest=700
scontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket

type=AVC msg=audit(1280954860.255:49): avc:  denied  { name_bind } for 
pid=7464 comm="mkhomedir" src=856
scontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
Comment 4 Nalin Dahyabhai 2010-08-04 17:05:42 EDT
Just to avoid misunderstandings, NIS can use either UDP or TCP, so I think we need to allow this for both UDP and TCP.
Comment 5 RHEL Product and Program Management 2010-08-04 17:07:36 EDT
This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **
Comment 6 Rik van Riel 2010-08-04 17:37:44 EDT
I have confirmed that this is indeed an selinux problem.

Running "setenforce 0" and then logging in causes my home directory to be created.
Comment 7 Daniel Walsh 2010-08-05 15:15:12 EDT
Miroslav grab the `nis_use_ypbind_uncond' from rawhide.
Comment 8 Miroslav Grepl 2010-08-06 09:15:36 EDT
Fixed in selinux-policy-3.7.19-36.el6.noarch.
Comment 12 releng-rhel@redhat.com 2010-11-10 16:36:00 EST
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.