Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 239079 - [LSPP] After running useradd -Z seusers and the policy is labeled incorrectly
Summary: [LSPP] After running useradd -Z seusers and the policy is labeled incorrectly
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
Blocks: RHEL5LSPPCertTracker
TreeView+ depends on / blocked
Reported: 2007-05-04 19:21 UTC by Matt Anderson
Modified: 2009-06-19 16:58 UTC (History)
7 users (show)

Fixed In Version: RHBA-2007-0544
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-11-07 16:39:36 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0544 normal SHIPPED_LIVE selinux-policy bug fix update 2007-11-08 14:16:49 UTC

Description Matt Anderson 2007-05-04 19:21:11 UTC
Description of problem:
When using useradd -Z the context of seusers and the policy file are set to

# fixfiles check /etc/selinux/
/sbin/restorecon reset /etc/selinux/mls/seusers context
/sbin/restorecon reset /etc/selinux/mls/policy/policy.21 context

Version-Release number of selected component (if applicable):

How reproducible:
Everytime, even when selecting what would be the default SELinux user.

Steps to Reproduce:
1. useradd -Z user_u alice
2. fixfiles check /etc/selinux
Actual results:
The policy file and the seusers file gets relabeled to SystemLow from SystemHigh

Expected results:
The file should remain at the correct level.

Additional info:
It seems that you can only run useradd from SystemLow, otherwise you are unable
to lock the password file

[root/sysadm_r/SystemHigh@cert-i5 root]# useradd -Z staff_u -n bob
useradd: unable to lock password file

As a result these trusted databases are set to SystemLow.

Comment 1 RHEL Product and Program Management 2007-05-07 12:43:51 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 3 Daniel Walsh 2007-05-07 14:14:49 UTC
Fixed in selinux-policy-2.4.6-69

Comment 4 Klaus Weidner 2007-05-07 17:10:23 UTC
This bug is not critical as far as LSPP compliance is concerned - the seusers
and policy files do not contain any information that specifically needs to be at
SystemHigh. As long as the changed level doesn't actually break applications
it's not urgent to fix.

Comment 5 Matt Anderson 2007-05-07 17:43:33 UTC
The changed level does break applications.

Once the files are relabeled SystemHigh subsequent operations on them fail,
useradd -Z, semanage, anything else that needs access to that database.

This can be worked around by running `fixfiles restore /etc/selinux` after each
time the database gets relabel to the wrong level, but otherwise the second time
you run anything it will fail due to the MLS level being incorrect.

Comment 6 Linda Knippers 2007-05-07 19:43:34 UTC
What was the policy change?  Was it to make seusers SystemLow by default?
If the passwd file is SystemLow then it seems seusers could be as well.
Any idea why running semanage to update seusers doesn't have the same

Comment 7 Daniel Walsh 2007-05-15 17:25:33 UTC
Turns out this is a problem with semanage also. When updating the system. 
semanage will lower the sensitivity of the seusers and policy.21 file

So this is really a libsemanage problem.  Reassiging

Comment 8 Daniel Walsh 2007-05-17 17:54:50 UTC
We agreed to change the sensitivity level of seusers and policy.21 to SystemLow
on the phone.  Fixed in selinux-policy-2.4.6-71

Comment 10 Eduard Benes 2007-08-21 15:25:11 UTC
A fix for this issue has been included in the packages contained in the beta
(RHN channel) or most recent snapshot ( for RHEL5.1.  Please
verify that your issue is fixed.

After you (Red Hat Partner) have verified that this issue has been addressed,
please perform the following:
1) Change the *status* of this bug to VERIFIED.
2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified)

If this issue is not fixed, please add a comment describing the most recent
symptoms of the problem you are having and change the status of the bug to 

Comment 13 errata-xmlrpc 2007-11-07 16:39:36 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.