786223 – Make ipa-client depend on oddjob-mkhomedir (ipa-client-install --mkhomedir sets wrong selinux contexts on user home drives)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 786223 - Make ipa-client depend on oddjob-mkhomedir (ipa-client-install --mkhomedir sets wrong selinux contexts on user home drives)

Summary: Make ipa-client depend on oddjob-mkhomedir (ipa-client-install --mkhomedir se...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.2
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-01-31 18:45 UTC by dale.macartney
Modified:	2012-06-20 13:31 UTC (History)
CC List:	7 users (show)
Fixed In Version:	ipa-2.2.0-3.el6
Doc Type:	Bug Fix
Doc Text:	No documentation needed.
Clone Of:
Environment:
Last Closed:	2012-06-20 13:31:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0819	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2012-06-19 20:34:17 UTC

Description dale.macartney 2012-01-31 18:45:19 UTC

Description of problem:

When using the --mkhomedir option with ipa-client-install, a user has their homedir automatically created when first logging in. 

the selinux context of this newly created homedir is set to home_root_t instead of user_home_dir_t

Version-Release number of selected component (if applicable):

Name        : ipa-client
Arch        : x86_64
Version     : 2.1.3
Release     : 9.el6


How reproducible:
every time

Steps to Reproduce:
1. clean install of RHEL 6.2
2. yum install ipa-client -y
3. ipa-client-install -U -p admin -w mysecretpassword --mkhomedir
4. log in as any ipa user..
5. ls -Z /home

  
Actual results:
[root@server ~]# ls -Z /home/
drwxr-xr-x. user1 user1 unconfined_u:object_r:home_root_t:s0 user1
drwxr-xr-x. user2 user2 unconfined_u:object_r:home_root_t:s0 user2
[root@server ~]#

Expected results:

[root@mail02 ~]# ls -Z /home/
drwxr-xr-x. user1 user1 unconfined_u:object_r:user_home_dir_t:s0 user1
drwxr-xr-x. user2 user2 unconfined_u:object_r:user_home_dir_t:s0 user2
[root@mail02 ~]#

Additional info:

Comment 2 Simo Sorce 2012-01-31 21:28:40 UTC

ipa-client-install just uses authconfig, marking as duplicate of the bug we opened against authconfig already.

*** This bug has been marked as a duplicate of bug 647589 ***

Comment 3 Dmitri Pal 2012-02-01 15:05:10 UTC

This is an authconfig issue similar to the one in #647589.

Comment 4 Dmitri Pal 2012-02-01 15:07:44 UTC

Authconfig's GUI version will auto-detect the presence of
pam_oddjob_mkhomedir and prefer that over pam_mkhomedir, but it appears
the command-line version always configures pam_mkhomedir.

Comment 5 Tomas Mraz 2012-02-01 16:30:11 UTC

No, the GUI and commandline UI are both frontends to a single backend. So most probably they do not have pam_oddjob_mkhomedir installed.

*** This bug has been marked as a duplicate of bug 647589 ***

Comment 7 Tomas Mraz 2012-02-01 16:40:59 UTC

The possible resolutions are:
1. Make authconfig depend on oddjob-mkhomedir package - I do not want that as it unnecessarily expands the minimal install set.

2. Make authconfig to gray out the homedir creation check box in GUI when SELinux is enforcing and oddjob-mkhomedir is not installed. Also print a warning in commandline UI in the same situation if user uses --enablemkhomedir. This will not prevent the user to enable creation of homedirs in command line ui and with ipa-client-install however it will at least warn him that it will not work correctly.

3. Make ipa-client depend on oddjob-mkhomedir - perhaps preferable?

Comment 8 Dmitri Pal 2012-02-01 18:03:12 UTC

Re-targeting IPA and giving ack to option number three from above. Also changing the name.

Comment 9 Dmitri Pal 2012-02-01 18:07:44 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2337

Comment 10 Martin Kosek 2012-02-27 10:02:33 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/872047fa0e666f0ac0328f4d6f75dc8bf560485c
ipa-2-2: https://fedorahosted.org/freeipa/changeset/de4603eba0270bb34207543f62012e1690086305

Comment 13 Martin Kosek 2012-04-24 11:33:48 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.

Comment 14 Kaleem 2012-04-25 11:12:08 UTC

Verified.

ipa-client version:
===================
[root@ipa63client ~]# rpm -q ipa-client
ipa-client-2.2.0-11.el6.x86_64
[root@ipa63client ~]#

ipa-client depends on oddjob-mkhomedir pkg:
==========================================
[root@ipa63client ~]# yum deplist ipa-client|grep odd
Unable to read consumer identity
  dependency: oddjob-mkhomedir
   provider: oddjob-mkhomedir.x86_64 0.30-5.el6
   provider: oddjob-mkhomedir.i686 0.30-5.el6
[root@ipa63client ~]#
 
Now correct selinux context (user_home_dir_t) is set for user home directories.

[root@ipa63client ~]# ls -laZ /home/
drwxr-xr-x. root   root   system_u:object_r:home_root_t:s0 .
dr-xr-xr-x. root   root   system_u:object_r:root_t:s0      ..
drwxr-xr-x. tuser1 tuser1 unconfined_u:object_r:user_home_dir_t:s0 tuser1
drwxr-xr-x. tuser2 tuser2 unconfined_u:object_r:user_home_dir_t:s0 tuser2
drwxr-xr-x. tuser3 tuser3 unconfined_u:object_r:user_home_dir_t:s0 tuser3
[root@ipa63client ~]#

Comment 16 errata-xmlrpc 2012-06-20 13:31:55 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html

Note You need to log in before you can comment on or make changes to this bug.