Bug 822133 - a lot of selinux errors when working with a freeipa user
a lot of selinux errors when working with a freeipa user
Product: Fedora
Classification: Fedora
Component: freeipa (Show other bugs)
All Linux
high Severity unspecified
: ---
: ---
Assigned To: Rob Crittenden
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-05-16 08:47 EDT by pasqual milvaques
Modified: 2013-02-14 03:05 EST (History)
7 users (show)

See Also:
Fixed In Version: freeipa-2.1.4-8.fc16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-02-13 22:05:11 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description pasqual milvaques 2012-05-16 08:47:18 EDT
Description of problem:
I'm trying to log and work to a test box with a freeipa user but selinux avoid me to a lot of normal activities

for the moment these are the problems:
-I can't log to the sistem if a didn't do a restorecon -v -R /home/username
-once I do this I can log to the system but I try to change the password with the control-center I receive errors of this kind /var/log/audit/audit.log:
type=AVC msg=audit(1337166385.813:105): avc:  denied  { execute } for  pid=2354 comm="passwd" name="gnome-keyring-daemon" dev="sda3" ino=157097 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gkeyringd_exec_t:s0 tclass=file
type=USER_CHAUTHTOK msg=audit(1337166385.830:106): pid=0 uid=0 auid=1000 ses=2 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=PAM:chauthtok acct="mnadal" exe="/usr/bin/passwd" hostname=? addr=? terminal=pts/1 res=success'

selinux trobleshouter says to me to apply this policies to avoid the errors:

module mypol_passwd 1.0;

require {
	type tmp_t;
	type passwd_t;
	type gkeyringd_exec_t;
	class capability ipc_lock;
	class sock_file { write create unlink getattr };
	class file { read execute open execute_no_trans };
	class dir { create rmdir };

#============= passwd_t ==============
#!!!! This avc is allowed in the current policy

allow passwd_t gkeyringd_exec_t:file { read execute open execute_no_trans };
allow passwd_t self:capability ipc_lock;
allow passwd_t tmp_t:dir rmdir;
#!!!! This avc is allowed in the current policy

allow passwd_t tmp_t:dir create;
#!!!! This avc is allowed in the current policy

allow passwd_t tmp_t:sock_file create;
allow passwd_t tmp_t:sock_file { write getattr unlink };

semodule -i mypol_passwd.pp

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. join a freeipa domain with ipa-client-install --mkhomedir
2. do a restorecon -v -R /home/username (if not I can't log to gnome)
3. go go to control center -> users ant try to change your password
Actual results:
lots of selinux errors, in the first tries the errors don't let the password to be changed

Expected results:
usable home directory (correctly labeled with selinux by default)
transparent password change

Additional info:
Comment 1 Stephen Gallagher 2012-05-16 08:57:56 EDT
This is a bug in FreeIPA (specifically ipa-client-install).

pam_mkhomedir is not SELinux-compatible. There is an alternative called oddjob_mkhomedir that is. ipa-client-install will use whichever one is installed on the system. In the default case, that unfortunately means pam_mkhomedir.

In Fedora 17, the 'freeipa-client' package grew an explicit dependency on oddjob_mkhomedir to ensure that the SELinux-compatible package was available. We need to backport that specfile change to F16.

In the meantime, you can solve this for an installed system by doing:

yum install oddjob-mkhomedir

Replacing all instances of pam_mkhomedir.so in /etc/pam.d/* with pam_oddkob_mkhomedir.so

Then at least all new users that log in will be set up with the appropriate SELinux contexts.
Comment 2 Fedora Update System 2012-05-16 09:43:01 EDT
freeipa-2.1.4-8.fc16 has been submitted as an update for Fedora 16.
Comment 3 pasqual milvaques 2012-05-16 10:15:53 EDT
removed the installed selinux policies, deleted the /home directories for freeipa users and updated the freeipa packages. tested and all is working now

Comment 4 Fedora End Of Life 2013-01-16 20:58:45 EST
This message is a reminder that Fedora 16 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 16. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '16'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 16's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 16 is end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" and open it against that version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
Comment 5 Rob Crittenden 2013-01-16 22:35:00 EST
Not sure why this is still open, closing as VERIFIED.
Comment 6 Fedora End Of Life 2013-02-13 22:05:15 EST
Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 7 Martin Kosek 2013-02-14 03:05:29 EST
Changing CLOSED status resolution from WONTFIX to ERRATA as this was properly closed, we just forgot to CLOSE it properly.

Note You need to log in before you can comment on or make changes to this bug.