Michael C Thompson wrote:
I have seen types of behaviour exhibited by the useradd tool:
functional and non-functional under enforcing mode. The most recent
time I tried to recreate the successful transcript below, I was unable
to successfully create the /home/<user> directory, which caused the
entire useradd operation to fail. Adding a user with the -M (no home
dir creation) option succeeds.
This should be a sysadm operation, any ideas what is causing it to
fail? It did work once before, but now it doesn't... see the
unsuccessful transcript for the details.
Unsuccessful transcript:
[EMAIL PROTECTED] ~]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=root:sysadm_r:sysadm_t:SystemHigh
[EMAIL PROTECTED] ~]# useradd -m ealuser
useradd: unable to lock password file
[EMAIL PROTECTED] ~]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=root:sysadm_r:sysadm_t:SystemLow-SystemHigh
[EMAIL PROTECTED] ~]# ls /home
mcthomps mlstestuser
[EMAIL PROTECTED] ~]# useradd -m ealuser
useradd: cannot create directory /home/ealuser
Successful Transcript:
[EMAIL PROTECTED] ~]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=root:sysadm_r:sysadm_t:SystemLow-SystemHigh
[EMAIL PROTECTED] ~]# useradd -c "admin style user" -m ealuser
[EMAIL PROTECTED] ~]# ls /home -alZ
drwxr-xr-x root root
system_u:object_r:home_root_t:SystemLow-SystemHigh .
drwxr-xr-x root root system_u:object_r:root_t:SystemLow ..
drwxr-xr-x ealuser ealuser root:object_r:user_home_dir_t:SystemLow
ealuser
The "problem" for the successful transcript is that the permission for
the ealuser homedir is the SELinux user is root. Is this a bug or is
the secadm supposed to come in and fix this?
If I can provide any more information that would be useful, let me know.
Thanks,
Mike
This is a bug in policy fixed in selinux-policy-2.2.45-2
I will throw it out on ftp://people.redhat.com/dwalsh/SELinux/Fedora
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
