Bug 863132 - pam_mkhomedir creates home directory with wrong SELinux label
pam_mkhomedir creates home directory with wrong SELinux label
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-10-04 09:50 EDT by Trond H. Amundsen
Modified: 2013-01-25 04:46 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-12-20 10:47:05 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Trond H. Amundsen 2012-10-04 09:50:18 EDT
Description of problem:
When using pam_mkhomedir.so to automatically create home directories on first login, the newly created home directory and all its contents are created with SELinux label 'home_root_t'.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure the host to use pam_mkhomedir.so in system-auth and password-auth
2. Create a user without creating its home directory, or remove the home directory of an existing user
3. Log in as the user. The home directory will be automatically created. NOTE: At this point I've only tested this with ssh logins.
Actual results:
The user's home directory and all contents have SELinux label 'home_root_t'

Expected results:
The user's home directory and all contents are created with the correct SELinux labels.

Additional info:
A bit of debugging reveals that sshd_t runs /usr/sbin/mkhomedir_helper on behalf of pam. But somehow the command ends up running in the userdomain.
Comment 1 Dominick Grift 2012-10-04 10:21:41 EDT
To troubleshoot we tried to label /usr/sbin/mkhomedir_helper oddjob_mkhomedir_exec_t since sshd_t is allowed to run files with that type with a domain transition to oddjob_mkhomedir_t.

However, although we figured out that sshd_t actually "executes" the file with that type it does not appear to be domain transitioning for some reason.

The user home dir still gets created by /usr/sbin/mkhomedir_helper on behalf of root, running in the unconfined_t domain
Comment 2 Miroslav Grepl 2012-10-05 07:23:38 EDT
did we add privsep patch also to F17?
Comment 3 Daniel Walsh 2012-10-06 07:36:40 EDT
Yes this looks like a setexeccon is overriding the oddjob execution.
Comment 4 Petr Lautrbach 2012-10-09 05:00:34 EDT
I don't think it's related to the privsep patch. The privsep patch changes context of actual process with setcon() based on getexeccon() value. 
But there's the pam_selinux module which sets a user context for next execve call.
Comment 5 Petr Lautrbach 2012-10-09 05:04:05 EDT
those two files works for me (together with the mkhomedir_helper context change):

# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    include      postlogin

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0022
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
Comment 6 Miroslav Grepl 2012-10-17 03:49:28 EDT
I added labeling.
Comment 7 Fedora Update System 2012-10-17 08:34:59 EDT
selinux-policy-3.10.0-156.fc17 has been submitted as an update for Fedora 17.
Comment 8 Fedora Update System 2012-10-17 20:26:21 EDT
Package selinux-policy-3.10.0-156.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-156.fc17'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2012-12-20 10:47:21 EST
selinux-policy-3.10.0-156.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 su_js1 2013-01-24 19:37:02 EST
Having the exact same problem on RH el6.3 with selinux-policy-3.7.19-155.el6_3.13.noarch
Comment 11 Miroslav Grepl 2013-01-25 04:46:26 EST
Did you try to fix labeling using chcon?

Note You need to log in before you can comment on or make changes to this bug.