There's a race condition in the mkhomedir tool at the function oddjob_selinux_mkdir(). During the home user creation, while copying /etc/skel to the newly created home directory. An attacker may leverage this by creating a symbolic link to a target privileged directory, as oddjob_selinux_mkdir() doesn't verify the symlink expansion and user permissions, it would end up changing the target folder ownership for an the unprivileged user which home is being created by the tool.
Name: Matthias Gerstner (SUSE security team)
Created oddjob tracking bugs for this issue:
Affects: fedora-all [bug 1833043]
Upstream commit for this issue: