On Fri, Jul 13, 2018 at 6:59 PM, Laurent Bigonville wrote:
>
> Le 13/07/18 à 16:37, Stephen Smalley a écrit :
>
>> On 07/13/2018 10:26 AM, Laurent Bigonville wrote:
>>>
>>> Le 13/07/18 à 16:19, Laurent Bigonville a écrit :
Le 10/07/18 à 17:58, Stephen Smalley a écrit :
>
> On 07/10/2018 11:40 AM, Stephen Smalley wrote:
>>
>> On 07/09/2018 04:20 PM, Nicolas Iooss wrote:
>>>
>>> Hello,
>>>
>>> While testing a systemd update on Arch Linux, I encountered the
>>> following message (in a Vagrant virtual machine):
>>>
>>> # semanage fcontext -m -s sysadm_u -t user_home_t '/vagrant(/.*)?'
>>> libsemanage.get_home_dirs: Error while fetching users. Returning list
>>> so far.
>>>
>>> A quick debugging of get_home_dirs() in
>>> libsemanage/src/genhomedircon.c shows that the loop "while ((pwbuf =
>>> getpwent()) != NULL)" stops with pwbuf=NULL and errno=2 (ENOENT). My
>>> /etc/nsswitch.conf contains:
>>>
>>> passwd: files mymachines systemd
>>>
>>> If I remove "systemd" from this line, the error disappears. Therefore
>>> it seems that systemd's NSS module returns a ENOENT error when
>>> getpwent() is called. I have not found any clue in systemd's code [1]
>>> about such an error and I have not got much time to debug this issue.
>>> Does this occurs for someone else (using Fedora for example)?
>>
>> Fedora ships with usepasswd=False in semanage.conf, so we'll never reach
>> that code in a default configuration.
>> Fedora nsswitch.conf has following for passwd:
>> passwd:files sss systemd
>>
>> Removing usepasswd=False from semanage.conf, I see the same behavior
>> with libsemanage 2.8, systemd 239, and glibc 2.27 on Fedora and it did
>> not occur with systemd 238. systemd v239 does introduce support into
>> nss-systemd for looking up dynamic users, so this seems to be the cause.
>> Not sure yet whether this represents a bug in libsemanage or systemd,
>> but it appears to just be a warning and not fatal to operation.
>
> I'm inclined to think that this is a bug in systemd. The man page for
> getpwent() says nothing about setting errno to ENOENT upon reaching the
> end of the passwd database; it should just return NULL w/o setting errno
> AFAICT.
I see the same warning in debian.
If I'm reading
https://www.gnu.org/software/libc/manual/html_node/NSS-Modules-Interface.html
well this is actually valid to set errno=ENOENT and return
NSS_STATUS_NOTFOUND if "The requested entry is not available.", so that
should be OK?
>>>
>>> There are more info at
>>> https://www.gnu.org/software/libc/manual/html_node/NSS-Module-Function-Internals.html
>>> as well: "The function shall return NSS_STATUS_SUCCESS as long as there
>>> are more entries. When the last entry was read it should return
>>> NSS_STATUS_NOTFOUND. When the buffer given as an argument is too small for
>>> the data to be returned NSS_STATUS_TRYAGAIN should be returned. When the
>>> service was not formerly initialized by a call to _nss_DATABASE_setdbent
>>> all return values allowed for this function can also be returned here."
>>>
>>> But indeed, it's not that clear if you should set errno or not if you reach
>>> the last entry
>>
>> I'm not averse to a patch for libsemanage to ignore ENOENT from getpwent(),
>> but I think it is a bug in either systemd (i.e. it shouldn't be setting
>> ENOENT) or glibc (it should suppress it) given that it is not documented as
>> a possible errno value in getpwent(3). If we ignore it, we likely ought to
>> clear errno to avoid incorrect propagation of an ENOENT errno to later code.
>> But someone likely ought to open a bug with either systemd or glibc
>> maintainers regardless. Should be easy to create a trivial test case w/o
>> involving libsemanage, just some code that calls getpwent() until it returns
>> NULL and then tests the errno value, and show that it changes between
>> systemd v238 and systemd v239.
>
> FTR I've opened https://sourceware.org/bugzilla/show_bug.cgi?id=23410 as the
> errno is not documented, let's see what they will say
Thanks. I have been quite busy this week, and now that I have some
time, I took a look at systemd's code. It appears setting errno to
ENOENT is done there:
https://github.com/systemd/systemd/blob/v239/src/nss-systemd/nss-systemd.c#L781
, so at least it is not something else leaking errno to NSSwitch's
internals. I have added this information to glibc's ticket and will
wait for the feedback from glibc's developers.
Nicolas
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.