Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1494108 - On KDE, selinux prevents log in with newly created user
Summary: On KDE, selinux prevents log in with newly created user
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedBlocker
Depends On:
Blocks: F27FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2017-09-21 13:18 UTC by Lukas Brabec
Modified: 2017-10-02 09:05 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.13.1-283.4.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-09-30 06:50:32 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
journalctl -b (470.96 KB, text/plain)
2017-09-21 13:19 UTC, Lukas Brabec 		no flags Details
ausearch -m AVC -ts today (20.03 KB, text/plain)
2017-09-21 13:20 UTC, Lukas Brabec 		no flags Details
audit.log (400.10 KB, text/plain)
2017-09-21 13:20 UTC, Lukas Brabec 		no flags Details
ausearch -m AVC -ts today (with chcon -t useradd_exec_t /usr/sbin/kuser) (3.35 KB, text/plain)
2017-09-21 17:08 UTC, Lukas Brabec 		no flags Details
audit.log (with chcon -t useradd_exec_t /usr/sbin/kuser) (136.51 KB, text/plain)
2017-09-21 17:09 UTC, Lukas Brabec 		no flags Details
usearch -m AVC -ts today (with chcon, restorecon before creation of test3 ) (4.47 KB, text/plain)
2017-09-21 21:49 UTC, Lukas Brabec 		no flags Details
View All

Description Lukas Brabec 2017-09-21 13:18:43 UTC 
Description of problem:

This happened when I was going through "QA:Testcase_desktop_login" on Fedora 27 with KDE.

I created a new user with kuser application, then I logged out and tried to login with the newly created user. Screen blinked and returned me back to login screen. Checking journal, it seems that selinux is preventing to create some dot-files in ~/ of the new user (see attached logs).

With setenforce 0, login works as expected.



Version-Release number of selected component (if applicable):

libselinux-utils-2.7-2.fc27.x86_64
selinux-policy-3.13.1-283.3.fc27.noarch
selinux-policy-targeted-3.13.1-283.3.fc27.noarch
pam-kwallet-5.10.5-1.fc27.x86_64
sddm-0.15.0-1.fc27.x86_64


Steps to Reproduce:
1. on Fedora 27 KDE, create another user with kuser
2. log out
3. try to login with the other user
Comment 1 Lukas Brabec 2017-09-21 13:19:38 UTC 
Created attachment 1329000 [details]
journalctl -b
Comment 2 Lukas Brabec 2017-09-21 13:20:15 UTC 
Created attachment 1329002 [details]
ausearch -m AVC -ts today
Comment 3 Lukas Brabec 2017-09-21 13:20:42 UTC 
Created attachment 1329003 [details]
audit.log
Comment 4 Fedora Blocker Bugs Application 2017-09-21 13:35:38 UTC 
Proposed as a Blocker for 27-beta by Fedora user lbrabec using the blocker tracking app because:

 Unable to complete step 5 of "QA:Testcase desktop login", which violates associated beta release criterion Post-install requirements - Shutdown, reboot, logout
Comment 5 Lukas Vrabec 2017-09-21 16:24:43 UTC 
Lukas, 

Could you please try following scenario: 
1. chcon -t useradd_exec_t /usr/sbin/kuser 
2. add new user like in bug description 
3. check AVCs 

Thanks,
Lukas.
Comment 6 Lukas Brabec 2017-09-21 17:08:41 UTC 
Created attachment 1329086 [details]
ausearch -m AVC -ts today (with chcon -t useradd_exec_t /usr/sbin/kuser)
Comment 7 Lukas Brabec 2017-09-21 17:09:49 UTC 
Created attachment 1329087 [details]
audit.log (with chcon -t useradd_exec_t /usr/sbin/kuser)
Comment 8 Kamil Páral 2017-09-21 18:26:14 UTC 
Discussed during blocker review [1]:

RejectedBlocker (beta) AcceptedBlocker (final) - This bug violates the final criterion: "All applications that can be launched using the standard graphical mechanism of a release-blocking desktop after a default installation of that desktop must start successfully and withstand a basic functionality test."

[1] https://meetbot-raw.fedoraproject.org/fedora-meeting-1/2017-09-21/
Comment 9 Lukas Vrabec 2017-09-21 21:29:07 UTC 
Lukas, 

What is output of:

# ls -Z /home/

If you run:

# restorecon -Rv /home/

and then try to create new user with kuser (with chcon -t useradd_exec_t /usr/sbin/kuser) are you still able to catch any AVC? 

Thanks,
Lukas.
Comment 10 Lukas Brabec 2017-09-21 21:45:34 UTC 
# ls -Z /home/
unconfined_u:object_r:user_home_dir_t:s0 ejohn
unconfined_u:object_r:home_root_t:s0 test2
unconfined_u:object_r:home_root_t:s0 test1

after:
# restorecon -Rv /home/
I'm able to login with previously created users, but with other new users I encounter the same problem.
Comment 11 Lukas Brabec 2017-09-21 21:49:17 UTC 
Created attachment 1329218 [details]
usearch -m AVC -ts today (with chcon, restorecon before creation of test3 )
Comment 12 Fedora Update System 2017-09-22 09:51:20 UTC 
selinux-policy-3.13.1-283.4.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-1fd5e1aff6
Comment 13 Lukas Brabec 2017-09-22 10:24:59 UTC 
(In reply to Fedora Update System from comment #12)
> selinux-policy-3.13.1-283.4.fc27 has been submitted as an update to Fedora
> 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-1fd5e1aff6

this fixes the bug
Comment 14 Lukas Vrabec 2017-09-22 10:26:23 UTC 
Lukas,

Thanks for testing. :)
Comment 15 Fedora Update System 2017-09-22 17:54:49 UTC 
selinux-policy-3.13.1-283.4.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-1fd5e1aff6
Comment 16 Fedora Update System 2017-09-30 06:50:32 UTC 
selinux-policy-3.13.1-283.4.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.