resetting /proc/thread-self/attr/fscreate results in 'Invalid Argument'

Bug #1769301 reported by Andreas Florath on 2018-05-05
34
This bug affects 6 people
Affects Status Importance Assigned to Milestone
libselinux (Ubuntu)
Undecided
Unassigned
linux (Ubuntu)
Undecided
Unassigned

Bug Description

root@ubuntu:~# useradd -g 100 tst003
useradd: failure while writing changes to /etc/passwd

root@ubuntu:~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 31

The problem does not occur when SELinux is complete disabled.

Please note that a very similar problem occurs using groupadd:

root@ubuntu:~# groupadd tstgrp001
groupadd: failure while writing changes to /etc/group

= journal =
(Please note that there is *no* AVC!)

May 05 05:11:44 ubuntu useradd[756]: new user: name=tst003, UID=1004, GID=100, home=/home/tst003, shell=/bin/sh
May 05 05:11:44 ubuntu audit[756]: ADD_USER pid=756 uid=0 auid=1002 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=adding user id=1004 exe="/usr/sbin/useradd" hostname=ubuntu addr=? terminal=pts/0 res=success'
May 05 05:11:44 ubuntu useradd[756]: failure while writing changes to /etc/passwd
May 05 05:11:44 ubuntu audit[756]: ADD_USER pid=756 uid=0 auid=1002 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=adding user acct="tst003" exe="/usr/sbin/useradd" hostname=ubuntu addr=? terminal=pts/0 res=failed'
May 05 05:11:44 ubuntu useradd[756]: failed adding user 'tst003', data deleted

= ltrace =

[pid 1074] SYS_write(12, "root:x:"..., 1360) = 1360
[pid 1074] <... fflush resumed> ) = 0
[pid 1074] fileno(0x5595b21c6200) = 12
[pid 1074] fsync(12, 0x5595b21c62e0, 0, 0x7ff933d5c154 <unfinished ...>
[pid 1074] SYS_fsync(12) = 0
[pid 1074] <... fsync resumed> ) = 0
[pid 1074] fclose(0x5595b21c6200 <unfinished ...>
[pid 1074] SYS_close(12) = 0
[pid 1074] <... fclose resumed> ) = 0
[pid 1074] utime(0x7ffee34207e0, 0x7ffee34206b0, 0x5595b21af010, 1 <unfinished ...>
[pid 1074] SYS_utime("/etc/passwd-", 0x7ffee34206b0) = 0
[pid 1074] <... utime resumed> ) = 0
[pid 1074] fclose(0x5595b21af2a0 <unfinished ...>
[pid 1074] SYS_close(5) = 0
[pid 1074] <... fclose resumed> ) = 0
[pid 1074] setfscreatecon(0, 0x5595b21af118, 1, 2 <unfinished ...>
[pid 1074] SYS_openat(0xffffff9c, 0x5595b21cebc0, 0x80002, 0) = 5
[pid 1074] SYS_write(5, nil, 0) = -22
[pid 1074] SYS_close(5) = 0
[pid 1074] <... setfscreatecon resumed> ) = 0xffffffff
[pid 1074] free(0x5595b21b9dc0) = <void>
[pid 1074] free(0x5595b21b8a00) = <void>
[pid 1074] strlen("x") = 1
[pid 1074] memset(0x5595b21b7560, '\0', 1) = 0x5595b21b7560
[pid 1074] free(0x5595b21b7560) = <void>
[pid 1074] free(0x5595b21b94e0) = <void>
[pid 1074] free(0x5595b21b9000) = <void>
[pid 1074] free(0x5595b21b8fc0) = <void>

= strace =

write(12, "root:x:"..., 1360) = 1360
fsync(12) = 0
close(12) = 0
utime("/etc/passwd-", {actime=1525497034 /* 2018-05-05T05:10:34+0000 */, modtime=1525496803 /* 2018-05-05T05:06:43+0000 */}) = 0
close(5) = 0
openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", O_RDWR|O_CLOEXEC) = 5
write(5, NULL, 0) = -1 EINVAL (Invalid argument)
close(5) = 0

= Version Information =
root@ubuntu:~# lsb_release -rd
Description: Ubuntu 18.04 LTS
Release: 18.04

root@ubuntu:~# dpkg -l | grep passwd | grep -v base-pa
ii passwd 1:4.5-1ubuntu1 amd64 change and administer password and group data

root@ubuntu:~# dpkg -l | grep selinux
ii libselinux1:amd64 2.7-2build2 amd64 SELinux runtime shared libraries
ii python3-selinux 2.7-2build2 amd64 Python3 bindings to SELinux shared libraries
ii selinux-basics 0.5.6 all SELinux basic support
ii selinux-policy-default 2:2.20180114-1 all Strict and Targeted variants of the SELinux policy
ii selinux-policy-dev 2:2.20180114-1 all Headers from the SELinux reference policy for building modules
ii selinux-utils 2.7-2build2 amd64 SELinux utility programs

root@ubuntu:~# uname -a
Linux ubuntu 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Andreas Florath (ansreas) wrote :

It looks that the root cause affects multiple packages.

Observations: programs like lvchange have a similar problem:

# lvresize -L +1M /dev/mapper/vg-home
  SELinux context reset: setfscreatecon failed: Invalid argument
  SELinux context reset: setfscreatecon failed: Invalid argument
...

It looks that the problem might be in the libselinux (procattr.c setprocattrcon_raw):

    ret = write(fd, NULL, 0); /* clear */

This always returns 'Invalid argument'.

I was not able to reproduce this with standard system tools (echo, cat, tee, ...).
Therefore I wrote some lines of C (attached):

root@ubuntu:~# strace -f ./w2
...
openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", O_RDWR|O_CLOEXEC) = 3
write(3, NULL, 0) = -1 EINVAL (Invalid argument)
dup(2) = 4
fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
brk(NULL) = 0x55af7b32a000
brk(0x55af7b34b000) = 0x55af7b34b000
fstat(4, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0
write(4, "write: Invalid argument\n", 24write: Invalid argument
) = 24
close(4) = 0
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [], 8) = 0
getpid() = 10408
gettid() = 10408
tgkill(10408, 10408, SIGABRT) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=10408, si_uid=0} ---
+++ killed by SIGABRT +++
Aborted

I have no idea if this write(fd, NULL, 0) should work to reset the attribute (then it might be a kernel /proc problem) or if the library needs to use another mechanism to reset the content.

Andreas Florath (ansreas) wrote :

In libselinux the setfscreatecon() function is implemented - which might be the root cause of the problem.

affects: shadow (Ubuntu) → libselinux (Ubuntu)
summary: - useradd fails when selinux is set to permissive
+ resetting /proc/thread-self/attr/fscreate results in 'Invalid Argument'
Igor Klyuchnikov (mouth.shut) wrote :

Got the same problem. It looks like the problem is in the kernel 4.15 with Canonical patches. Vanilla 4.15, built from source, has no problem with useradd. Ubuntu 16.04 LTS kernel 4.13 generic, built from source, is also ok. I've spent plenty of time trying to make it work.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libselinux (Ubuntu):
status: New → Confirmed
Igor Klyuchnikov (mouth.shut) wrote :

I've asked a question on stackexchange.com, but still no answer. There is a detailed description and some logs.
https://unix.stackexchange.com/questions/458853/useradd-groupadd-fails-failure-while-writing-changes-to-etc-passwd-and-etc-gr

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1769301

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: bionic
Andreas Florath (ansreas) wrote :

I'm sorry but I have no access to the system any longer, therefore I cannot the command.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments