[Bug 1769301] Re: useradd fails when selinux is set to permissive

Andreas Florath andreas at florath.net
Sat May 5 08:16:18 UTC 2018 

It looks that the root cause affects multiple packages.

Observations: programs like lvchange have a similar problem:

# lvresize -L +1M /dev/mapper/vg-home
  SELinux context reset: setfscreatecon failed: Invalid argument
  SELinux context reset: setfscreatecon failed: Invalid argument
...

It looks that the problem might be in the libselinux (procattr.c
setprocattrcon_raw):

    ret = write(fd, NULL, 0);	/* clear */
    
This always returns 'Invalid argument'.

I was not able to reproduce this with standard system tools (echo, cat, tee, ...).
Therefore I wrote some lines of C (attached):

root at ubuntu:~# strace -f ./w2 
...
openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", O_RDWR|O_CLOEXEC) = 3
write(3, NULL, 0)                       = -1 EINVAL (Invalid argument)
dup(2)                                  = 4
fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
brk(NULL)                               = 0x55af7b32a000
brk(0x55af7b34b000)                     = 0x55af7b34b000
fstat(4, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0
write(4, "write: Invalid argument\n", 24write: Invalid argument
) = 24
close(4)                                = 0
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [], 8) = 0
getpid()                                = 10408
gettid()                                = 10408
tgkill(10408, 10408, SIGABRT)           = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=10408, si_uid=0} ---
+++ killed by SIGABRT +++
Aborted

I have no idea if this write(fd, NULL, 0) should work to reset the
attribute (then it might be a kernel /proc problem) or if the library
needs to use another mechanism to reset the content.


** Attachment added: "w2.c"
   https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1769301/+attachment/5134236/+files/w2.c

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1769301

Title:
  resetting /proc/thread-self/attr/fscreate results in 'Invalid
  Argument'

Status in libselinux package in Ubuntu:
  New

Bug description:
  root at ubuntu:~# useradd -g 100 tst003
  useradd: failure while writing changes to /etc/passwd

  root at ubuntu:~# sestatus 
  SELinux status:                 enabled
  SELinuxfs mount:                /sys/fs/selinux
  SELinux root directory:         /etc/selinux
  Loaded policy name:             default
  Current mode:                   permissive
  Mode from config file:          permissive
  Policy MLS status:              enabled
  Policy deny_unknown status:     allowed
  Memory protection checking:     requested (insecure)
  Max kernel policy version:      31

  
  The problem does not occur when SELinux is complete disabled.

  Please note that a very similar problem occurs using groupadd:

  root at ubuntu:~# groupadd tstgrp001
  groupadd: failure while writing changes to /etc/group

  
  = journal = 
  (Please note that there is *no* AVC!)

  May 05 05:11:44 ubuntu useradd[756]: new user: name=tst003, UID=1004, GID=100, home=/home/tst003, shell=/bin/sh
  May 05 05:11:44 ubuntu audit[756]: ADD_USER pid=756 uid=0 auid=1002 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=adding user id=1004 exe="/usr/sbin/useradd" hostname=ubuntu addr=? terminal=pts/0 res=success'
  May 05 05:11:44 ubuntu useradd[756]: failure while writing changes to /etc/passwd
  May 05 05:11:44 ubuntu audit[756]: ADD_USER pid=756 uid=0 auid=1002 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=adding user acct="tst003" exe="/usr/sbin/useradd" hostname=ubuntu addr=? terminal=pts/0 res=failed'
  May 05 05:11:44 ubuntu useradd[756]: failed adding user 'tst003', data deleted

  = ltrace =

  [pid 1074] SYS_write(12, "root:x:"..., 1360) = 1360
  [pid 1074] <... fflush resumed> )                = 0
  [pid 1074] fileno(0x5595b21c6200)                = 12
  [pid 1074] fsync(12, 0x5595b21c62e0, 0, 0x7ff933d5c154 <unfinished ...>
  [pid 1074] SYS_fsync(12)                         = 0
  [pid 1074] <... fsync resumed> )                 = 0
  [pid 1074] fclose(0x5595b21c6200 <unfinished ...>
  [pid 1074] SYS_close(12)                         = 0
  [pid 1074] <... fclose resumed> )                = 0
  [pid 1074] utime(0x7ffee34207e0, 0x7ffee34206b0, 0x5595b21af010, 1 <unfinished ...>
  [pid 1074] SYS_utime("/etc/passwd-", 0x7ffee34206b0) = 0
  [pid 1074] <... utime resumed> )                 = 0
  [pid 1074] fclose(0x5595b21af2a0 <unfinished ...>
  [pid 1074] SYS_close(5)                          = 0
  [pid 1074] <... fclose resumed> )                = 0
  [pid 1074] setfscreatecon(0, 0x5595b21af118, 1, 2 <unfinished ...>
  [pid 1074] SYS_openat(0xffffff9c, 0x5595b21cebc0, 0x80002, 0) = 5
  [pid 1074] SYS_write(5, nil, 0)                  = -22
  [pid 1074] SYS_close(5)                          = 0
  [pid 1074] <... setfscreatecon resumed> )        = 0xffffffff
  [pid 1074] free(0x5595b21b9dc0)                  = <void>
  [pid 1074] free(0x5595b21b8a00)                  = <void>
  [pid 1074] strlen("x")                           = 1
  [pid 1074] memset(0x5595b21b7560, '\0', 1)       = 0x5595b21b7560
  [pid 1074] free(0x5595b21b7560)                  = <void>
  [pid 1074] free(0x5595b21b94e0)                  = <void>
  [pid 1074] free(0x5595b21b9000)                  = <void>
  [pid 1074] free(0x5595b21b8fc0)                  = <void>

  = strace =

  write(12, "root:x:"..., 1360) = 1360
  fsync(12)                               = 0
  close(12)                               = 0
  utime("/etc/passwd-", {actime=1525497034 /* 2018-05-05T05:10:34+0000 */, modtime=1525496803 /* 2018-05-05T05:06:43+0000 */}) = 0
  close(5)                                = 0
  openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", O_RDWR|O_CLOEXEC) = 5
  write(5, NULL, 0)                       = -1 EINVAL (Invalid argument)
  close(5)                                = 0

  = Version Information =
  root at ubuntu:~# lsb_release -rd
  Description:	Ubuntu 18.04 LTS
  Release:	18.04

  root at ubuntu:~# dpkg -l | grep passwd | grep -v base-pa
  ii  passwd                                1:4.5-1ubuntu1                    amd64        change and administer password and group data

  root at ubuntu:~# dpkg -l | grep selinux
  ii  libselinux1:amd64                     2.7-2build2                       amd64        SELinux runtime shared libraries
  ii  python3-selinux                       2.7-2build2                       amd64        Python3 bindings to SELinux shared libraries
  ii  selinux-basics                        0.5.6                             all          SELinux basic support
  ii  selinux-policy-default                2:2.20180114-1                    all          Strict and Targeted variants of the SELinux policy
  ii  selinux-policy-dev                    2:2.20180114-1                    all          Headers from the SELinux reference policy for building modules
  ii  selinux-utils                         2.7-2build2                       amd64        SELinux utility programs

  root at ubuntu:~# uname -a
  Linux ubuntu 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libselinux/+bug/1769301/+subscriptions

More information about the foundations-bugs mailing list