Bug 813790 - oddjob-mkhomedir fails to create home directory when SELinux enforcing
oddjob-mkhomedir fails to create home directory when SELinux enforcing
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-18 08:45 EDT by Marko Myllynen
Modified: 2012-04-25 00:59 EDT (History)
2 users (show)

See Also:
Fixed In Version: selinux-policy-3.10.0-118.fc17
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-04-25 00:59:50 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marko Myllynen 2012-04-18 08:45:07 EDT
Description of problem:
When logging in as a user who doesn't have home dir oddjob-mkhomedir fails due to AVC. The following is logged in messages/secure/audit.log during the login attempt:


type=SERVICE_START msg=audit(1334752405.315:281): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="getty@tty5" exe="/usr/lib/systemd/syste
md" hostname=? addr=? terminal=? res=success'

==> /var/log/secure <==
Apr 18 15:33:29 localhost login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty5 ruser= rhost=  user=testuser

==> /var/log/audit/audit.log <==
type=USER_AUTH msg=audit(1334752410.808:282): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="tes
tuser" exe="/usr/bin/login" hostname=? addr=? terminal=tty5 res=success'

==> /var/log/secure <==
Apr 18 15:33:30 localhost login: pam_sss(login:auth): User info message: Your password will expire in 5 day(s).
Apr 18 15:33:30 localhost login: pam_sss(login:auth): authentication success; logname=LOGIN uid=0 euid=0 tty=tty5 ruser= rhost= user=testuser

==> /var/log/audit/audit.log <==
type=USER_ACCT msg=audit(1334752410.809:283): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="testuser" exe="/usr/bin/login" hostname=? addr=? terminal=tty5 res=success'
type=CRED_ACQ msg=audit(1334752410.811:284): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="testuser" exe="/usr/bin/login" hostname=? addr=? terminal=tty5 res=success'
type=LOGIN msg=audit(1334752410.811:285): login pid=1282 uid=0 old auid=4294967295 new auid=10305353 old ses=4294967295 new ses=3
type=USER_ROLE_CHANGE msg=audit(1334752410.855:286): pid=0 uid=0 auid=10305353 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/bin/login" hostname=? addr=? terminal=tty5 res=success'

==> /var/log/messages <==
Apr 18 15:33:30 localhost systemd-logind[602]: New session 3 of user testuser.

==> /var/log/audit/audit.log <==
type=AVC msg=audit(1334752410.882:287): avc:  denied  { read } for  pid=1007 comm="oddjobd" name="passwd" dev="dm-1" ino=1312501 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1334752410.882:287): arch=c000003e syscall=2 success=no exit=-13 a0=7fba3b0606ca a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=1007 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="oddjobd" exe="/usr/sbin/oddjobd" subj=system_u:system_r:oddjob_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1334752410.882:288): avc:  denied  { search } for  pid=1007 comm="oddjobd" name="sss" dev="dm-1" ino=138292 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1334752410.882:288): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fff71a80380 a2=6e a3=7fff71a80040 items=0 ppid=1 pid=1007 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="oddjobd" exe="/usr/sbin/oddjobd" subj=system_u:system_r:oddjob_t:s0-s0:c0.c1023 key=(null)

==> /var/log/secure <==
Apr 18 15:33:30 localhost login: pam_unix(login:session): session opened for user testuser by LOGIN(uid=0)

==> /var/log/audit/audit.log <==
type=USER_START msg=audit(1334752410.883:289): pid=0 uid=0 auid=10305353 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="testuser" exe="/usr/bin/login" hostname=? addr=? terminal=tty5 res=success'
type=CRED_REFR msg=audit(1334752410.884:290): pid=0 uid=0 auid=10305353 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="testuser" exe="/usr/bin/login" hostname=? addr=? terminal=tty5 res=success'
type=USER_LOGIN msg=audit(1334752410.884:291): pid=0 uid=0 auid=10305353 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=login id=10305353 exe="/usr/bin/login" hostname=? addr=? terminal=tty5 res=success'

==> /var/log/secure <==
Apr 18 15:33:30 localhost login: LOGIN ON tty5 BY testuser

==> /var/log/messages <==
Apr 18 15:33:31 localhost dbus-daemon[624]: ** Message: No devices in use, exit


And the following is printed in the login prompt for the user:


com.redhat.oddjob.Error.UnknownUser: UID=0
Last login: Wed Apr 18 15:29:51 on tty5
 -- testuser: /home/testuser: change directory failed: No such file or directory
Logging in with home = "/".


Version-Release number of selected component (if applicable):
Fedora 17 Beta
Comment 1 Stef Walter 2012-04-20 11:12:37 EDT
Also ran into this when using Active Directory. Three alerts. Running 'restorecon' on the relevant directories showed nothing.

ALERT 1:

SELinux is preventing /usr/sbin/oddjobd from read access on the file /etc/passwd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that oddjobd should be allowed read access on the passwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep oddjobd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:oddjob_t:s0-s0:c0.c1023
Target Context                system_u:object_r:passwd_file_t:s0
Target Objects                /etc/passwd [ file ]
Source                        oddjobd
Source Path                   /usr/sbin/oddjobd
Port                          <Unknown>
Host                          stef-desktop.thewalter.lan
Source RPM Packages           oddjob-0.31.1-2.fc17.x86_64
Target RPM Packages           setup-2.8.48-1.fc17.noarch
Policy RPM                    selinux-policy-3.10.0-110.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     stef-desktop.thewalter.lan
Platform                      Linux stef-desktop.thewalter.lan
                              3.3.1-5.fc17.x86_64 #1 SMP Tue Apr 10 20:42:28 UTC
                              2012 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 20 Apr 2012 05:10:30 PM CEST
Last Seen                     Fri 20 Apr 2012 05:10:30 PM CEST
Local ID                      f7bf2783-d607-4a88-939d-879380e53d07

Raw Audit Messages
type=AVC msg=audit(1334934630.835:1429): avc:  denied  { read } for  pid=15305 comm="oddjobd" name="passwd" dev="sda1" ino=178678 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file


type=SYSCALL msg=audit(1334934630.835:1429): arch=x86_64 syscall=open success=no exit=EACCES a0=7f8a5f2996ca a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=15305 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=oddjobd exe=/usr/sbin/oddjobd subj=system_u:system_r:oddjob_t:s0-s0:c0.c1023 key=(null)

Hash: oddjobd,oddjob_t,passwd_file_t,file,read

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied

ALERT 2:

SELinux is preventing /usr/sbin/oddjobd from search access on the directory /var/lib/sss.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that oddjobd should be allowed search access on the sss directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep oddjobd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:oddjob_t:s0-s0:c0.c1023
Target Context                system_u:object_r:sssd_var_lib_t:s0
Target Objects                /var/lib/sss [ dir ]
Source                        oddjobd
Source Path                   /usr/sbin/oddjobd
Port                          <Unknown>
Host                          stef-desktop.thewalter.lan
Source RPM Packages           oddjob-0.31.1-2.fc17.x86_64
Target RPM Packages           sssd-1.8.2-10.fc17.x86_64
Policy RPM                    selinux-policy-3.10.0-110.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     stef-desktop.thewalter.lan
Platform                      Linux stef-desktop.thewalter.lan
                              3.3.1-5.fc17.x86_64 #1 SMP Tue Apr 10 20:42:28 UTC
                              2012 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 20 Apr 2012 05:10:30 PM CEST
Last Seen                     Fri 20 Apr 2012 05:10:30 PM CEST
Local ID                      fcde642a-9ddc-49fe-adfc-407030067fa5

Raw Audit Messages
type=AVC msg=audit(1334934630.835:1430): avc:  denied  { search } for  pid=15305 comm="oddjobd" name="sss" dev="sda1" ino=20905 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir


type=SYSCALL msg=audit(1334934630.835:1430): arch=x86_64 syscall=connect success=no exit=EACCES a0=4 a1=7fffc4d1c5a0 a2=6e a3=238 items=0 ppid=1 pid=15305 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=oddjobd exe=/usr/sbin/oddjobd subj=system_u:system_r:oddjob_t:s0-s0:c0.c1023 key=(null)

Hash: oddjobd,oddjob_t,sssd_var_lib_t,dir,search

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied


ALERT 3:


SELinux is preventing /usr/sbin/oddjobd from getattr access on the directory /run/winbindd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that oddjobd should be allowed getattr access on the winbindd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep oddjobd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:oddjob_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:winbind_var_run_t:s0
Target Objects                /run/winbindd [ dir ]
Source                        oddjobd
Source Path                   /usr/sbin/oddjobd
Port                          <Unknown>
Host                          stef-desktop.thewalter.lan
Source RPM Packages           oddjob-0.31.1-2.fc17.x86_64
Target RPM Packages           samba-winbind-3.6.4-82.fc17.1.x86_64
Policy RPM                    selinux-policy-3.10.0-110.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     stef-desktop.thewalter.lan
Platform                      Linux stef-desktop.thewalter.lan
                              3.3.1-5.fc17.x86_64 #1 SMP Tue Apr 10 20:42:28 UTC
                              2012 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 20 Apr 2012 05:10:30 PM CEST
Last Seen                     Fri 20 Apr 2012 05:10:30 PM CEST
Local ID                      468c34b7-8a26-4b0b-9faa-378fb9370c64

Raw Audit Messages
type=AVC msg=audit(1334934630.836:1431): avc:  denied  { getattr } for  pid=15305 comm="oddjobd" path="/run/winbindd" dev="tmpfs" ino=13334221 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:winbind_var_run_t:s0 tclass=dir


type=SYSCALL msg=audit(1334934630.836:1431): arch=x86_64 syscall=lstat success=no exit=EACCES a0=7f8a5ee81aac a1=7fffc4d19e60 a2=7fffc4d19e60 a3=238 items=0 ppid=1 pid=15305 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=oddjobd exe=/usr/sbin/oddjobd subj=system_u:system_r:oddjob_t:s0-s0:c0.c1023 key=(null)

Hash: oddjobd,oddjob_t,winbind_var_run_t,dir,getattr

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
Comment 2 Daniel Walsh 2012-04-20 11:31:16 EDT
Fixed in selinux-policy-3.10.0-117.fc17.noarch
Comment 3 Fedora Update System 2012-04-23 02:43:50 EDT
selinux-policy-3.10.0-117.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-117.fc17
Comment 4 Marko Myllynen 2012-04-23 05:13:35 EDT
Confirmed, selinux-policy-3.10.0-117.fc17.noarch fixes the issue.

Thanks!
Comment 5 Miroslav Grepl 2012-04-23 07:32:27 EDT
Thanks for testing. Could you give karma.
Comment 6 Marko Myllynen 2012-04-23 07:38:28 EDT
Gave karma already.
Comment 7 Fedora Update System 2012-04-23 20:56:37 EDT
selinux-policy-3.10.0-118.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-118.fc17
Comment 8 Fedora Update System 2012-04-23 23:15:38 EDT
Package selinux-policy-3.10.0-118.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-118.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-6452/selinux-policy-3.10.0-118.fc17
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2012-04-25 00:59:50 EDT
selinux-policy-3.10.0-118.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.