[redhat-lspp] useradd SELinux context question

Daniel J Walsh dwalsh at redhat.com
Mon Jun 12 14:51:57 UTC 2006 

Michael C Thompson wrote:
> I have seen types of behaviour exhibited by the useradd tool: 
> functional and non-functional under enforcing mode. The most recent 
> time I tried to recreate the successful transcript below, I was unable 
> to successfully create the /home/<user> directory, which caused the 
> entire useradd operation to fail. Adding a user with the -M (no home 
> dir creation) option succeeds.
>
> This should be a sysadm operation, any ideas what is causing it to 
> fail? It did work once before, but now it doesn't... see the 
> unsuccessful transcript for the details.
>
>
> Unsuccessful transcript:
> [root at dyn94141107 ~]# id
> uid=0(root) gid=0(root) 
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) 
> context=root:sysadm_r:sysadm_t:SystemHigh
> [root at dyn94141107 ~]# useradd -m ealuser
> useradd: unable to lock password file
>
> [root at dyn94141107 ~]# id
> uid=0(root) gid=0(root) 
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) 
> context=root:sysadm_r:sysadm_t:SystemLow-SystemHigh
> [root at dyn94141107 ~]# ls /home
> mcthomps  mlstestuser
> [root at dyn94141107 ~]# useradd -m ealuser
> useradd: cannot create directory /home/ealuser
>
>
>
> Successful Transcript:
> [root at dyn94141107 ~]# id
> uid=0(root) gid=0(root) 
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) 
> context=root:sysadm_r:sysadm_t:SystemLow-SystemHigh
>
> [root at dyn94141107 ~]# useradd -c "admin style user" -m ealuser
>
> [root at dyn94141107 ~]# ls /home -alZ
> drwxr-xr-x  root     root 
> system_u:object_r:home_root_t:SystemLow-SystemHigh .
> drwxr-xr-x  root     root     system_u:object_r:root_t:SystemLow ..
> drwxr-xr-x  ealuser  ealuser  root:object_r:user_home_dir_t:SystemLow 
> ealuser
>
> The "problem" for the successful transcript is that the permission for 
> the ealuser homedir is the SELinux user is root. Is this a bug or is 
> the secadm supposed to come in and fix this?
>
>
> If I can provide any more information that would be useful, let me know.
>
> Thanks,
> Mike
>
This is a bug in policy fixed in selinux-policy-2.2.45-2
I will throw it out on ftp://people.redhat.com/dwalsh/SELinux/Fedora

> -- 
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp

More information about the redhat-lspp mailing list