Bug 621365 - oddjob-mkhomedir does not create homedir w/ NIS password
Summary: oddjob-mkhomedir does not create homedir w/ NIS password
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy   
(Show other bugs)
Version: 6.0
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
Keywords: RHELNAK
Depends On: 625455
TreeView+ depends on / blocked
Reported: 2010-08-04 20:38 UTC by Rik van Riel
Modified: 2012-10-15 15:10 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-36.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-11-10 21:36:00 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Rik van Riel 2010-08-04 20:38:19 UTC
Description of problem:

I selected "create new home directory on login" for a virtual test machine. I use this together with NIS passwords here at home.

On logging in, no home directory gets created, and I find the following oddjob-mkhomedir error message in /var/log/messages:

Aug  4 16:28:29 doriath oddjob-mkhomedir[2062]: could not look up location of home directory for riel

# ypcat passwd
riel:<snip>:500:500:Rik van Riel:/home/riel:/bin/bash

Version-Release number of selected component (if applicable):


Steps to Reproduce:
1. install RHEL6
2. select NIS passwords
3. select "create new home directory on login"
4. try to log in
Actual results:

No home directory is created.

Expected results:

Home directory is created.

Comment 1 Rik van Riel 2010-08-04 20:39:56 UTC
# ypmatch riel passwd
riel:<snip>:500:500:Rik van Riel:/home/riel:/bin/bash

Comment 3 Nalin Dahyabhai 2010-08-04 20:56:23 UTC
A privileged NIS client is expected to issue requests from a source port below
1024 as a way of letting an NIS server know that it's privileged.  This can be
used for access control at the server.

Dan, based on our out-of-band conversation, I think we need to be letting
confined processes which are allowed to be NIS clients bind to ports in this
range (and connect to them, as that's usually where the servers are).

For reference, the dontaudit denials I get when I turn on logging for them:

type=AVC msg=audit(1280954860.258:50): avc:  denied  { name_connect } for 
pid=7464 comm="mkhomedir" dest=700
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket

type=AVC msg=audit(1280954860.255:49): avc:  denied  { name_bind } for 
pid=7464 comm="mkhomedir" src=856
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket

Comment 4 Nalin Dahyabhai 2010-08-04 21:05:42 UTC
Just to avoid misunderstandings, NIS can use either UDP or TCP, so I think we need to allow this for both UDP and TCP.

Comment 5 RHEL Product and Program Management 2010-08-04 21:07:36 UTC
This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **

Comment 6 Rik van Riel 2010-08-04 21:37:44 UTC
I have confirmed that this is indeed an selinux problem.

Running "setenforce 0" and then logging in causes my home directory to be created.

Comment 7 Daniel Walsh 2010-08-05 19:15:12 UTC
Miroslav grab the `nis_use_ypbind_uncond' from rawhide.

Comment 8 Miroslav Grepl 2010-08-06 13:15:36 UTC
Fixed in selinux-policy-3.7.19-36.el6.noarch.

Comment 12 releng-rhel@redhat.com 2010-11-10 21:36:00 UTC
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.