Bug 1169739
Summary: | selinuxusermap rule does not apply to trusted AD users | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Steeve Goveas <sgoveas> | ||||||
Component: | sssd | Assignee: | Lukas Slebodnik <lslebodn> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | 7.1 | CC: | grajaiya, jgalipea, jhrozek, lslebodn, mkosek, mnavrati, mzidek, nsoman, pbrezina, preichl | ||||||
Target Milestone: | rc | Keywords: | Regression | ||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | sssd-1.12.2-32.el7 | Doc Type: | Known Issue | ||||||
Doc Text: |
Due to an error in processing SELinux labels of users coming from IPA-AD trusts, users coming via AD trusts to hosts handled by Identity Management (IdM) are assigned the default SELinux context. For this reason, it is recommended to set the restrictive SELinux context as default.
|
Story Points: | --- | ||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2015-03-05 10:34:45 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 1168850 | ||||||||
Attachments: |
|
Description
Steeve Goveas
2014-12-02 10:37:26 UTC
Please attach logs. Assigning to Lukas for investigation as he was already poking at the issue. Upstream ticket: https://fedorahosted.org/sssd/ticket/2512 Created attachment 963749 [details] sssd_ipa.domain.log files for bz1075663 test Created attachment 963752 [details] sssd_ipa.domain.log files for bz1073635 test Thank you very much, a patch is on the list now. Seeing it with regular (non-AD) users as well - so should doctext be revised? # ipa user-add one # ipa passwd one # kinit one # kinit admin # ipa selinuxusermap-add selinuxusermaprule1 --selinuxuser=staff_u:s0-s0:c0.c1023 -------------------------------------------- Added SELinux User Map "selinuxusermaprule1" -------------------------------------------- Rule name: selinuxusermaprule1 SELinux User: staff_u:s0-s0:c0.c1023 Enabled: TRUE # ipa selinuxusermap-add-user selinuxusermaprule1 --users=one Rule name: selinuxusermaprule1 SELinux User: staff_u:s0-s0:c0.c1023 Enabled: TRUE Users: one ------------------------- Number of members added 1 ------------------------- # ipa selinuxusermap-add-host selinuxusermaprule1 --hosts=qe-blade-01.testrelm.test Rule name: selinuxusermaprule1 SELinux User: staff_u:s0-s0:c0.c1023 Enabled: TRUE Users: one Hosts: qe-blade-01.testrelm.test ------------------------- Number of members added 1 ------------------------- # ipa selinuxusermap-show selinuxusermaprule1 --all dn: ipaUniqueID=836be4f2-7b2d-11e4-95b3-3440b58fae6b,cn=usermap,cn=selinux,dc=testrelm,dc=test Rule name: selinuxusermaprule1 SELinux User: staff_u:s0-s0:c0.c1023 Enabled: TRUE Users: one Hosts: qe-blade-01.testrelm.test ipauniqueid: 836be4f2-7b2d-11e4-95b3-3440b58fae6b objectclass: ipaselinuxusermap, ipaassociation # kinit one # ssh -l one qe-blade-01.testrelm.test id -Z Could not chdir to home directory /home/one: No such file or directory unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 It will not work for ipa users if the option use_fully_qualified_names is enabled in ipa domain (sssd.conf). * master: b02eda90e9c6d6666af55041b1b12f5ac2f47b73 Verified in version ipa-server-4.1.0-13.el7.x86_64 sssd-ipa-1.12.2-39.el7.x86_64 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa_trust_func_bug_1075663: SSSD should create the SELinux mapping file with format expected by pam_selinux :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ BEGIN ] :: Running 'kdestroy -A' :: [ PASS ] :: Command 'kdestroy -A' (Expected 0, got 0) :: [ BEGIN ] :: Running 'echo Secret123|kinit admin' Password for admin: :: [ PASS ] :: Command 'echo Secret123|kinit admin' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa group-add --desc=0 gr1075663' ----------------------- Added group "gr1075663" ----------------------- Group name: gr1075663 Description: 0 GID: 1039800006 :: [ PASS ] :: Command 'ipa group-add --desc=0 gr1075663' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa group-add --desc=0 gr1075663_ext --external' --------------------------- Added group "gr1075663_ext" --------------------------- Group name: gr1075663_ext Description: 0 :: [ PASS ] :: Command 'ipa group-add --desc=0 gr1075663_ext --external' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa group-add-member gr1075663 --groups=gr1075663_ext' Group name: gr1075663 Description: 0 GID: 1039800006 Member groups: gr1075663_ext ------------------------- Number of members added 1 ------------------------- :: [ PASS ] :: Command 'ipa group-add-member gr1075663 --groups=gr1075663_ext' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa group-add-member gr1075663_ext --users='' --groups='' --external='aduser1'' Group name: gr1075663_ext Description: 0 External member: S-1-5-21-547465014-1205121312-3291251547-1105 Member of groups: gr1075663 ------------------------- Number of members added 1 ------------------------- :: [ PASS ] :: Command 'ipa group-add-member gr1075663_ext --users='' --groups='' --external='aduser1'' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa selinuxusermap-add --hostcat=all --selinuxuser='staff_u:s0-s0:c0.c1023' selinux_1075663' ---------------------------------------- Added SELinux User Map "selinux_1075663" ---------------------------------------- Rule name: selinux_1075663 SELinux User: staff_u:s0-s0:c0.c1023 Host category: all Enabled: TRUE :: [ PASS ] :: Command 'ipa selinuxusermap-add --hostcat=all --selinuxuser='staff_u:s0-s0:c0.c1023' selinux_1075663' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa selinuxusermap-add-user selinux_1075663 --groups=gr1075663' Rule name: selinux_1075663 SELinux User: staff_u:s0-s0:c0.c1023 Host category: all Enabled: TRUE User Groups: gr1075663 ------------------------- Number of members added 1 ------------------------- :: [ PASS ] :: Command 'ipa selinuxusermap-add-user selinux_1075663 --groups=gr1075663' (Expected 0, got 0) :: [ BEGIN ] :: Running 'su - aduser1 -c 'echo aduser1 >> ~/.k5login'' :: [ PASS ] :: Command 'su - aduser1 -c 'echo aduser1 >> ~/.k5login'' (Expected 0, got 0) :: [ BEGIN ] :: Running 'su - aduser1 -c 'cat ~/.k5login'' aduser1 :: [ PASS ] :: Command 'su - aduser1 -c 'cat ~/.k5login'' (Expected 0, got 0) :: [ BEGIN ] :: Running 'service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start' Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service :: [ PASS ] :: Command 'service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start' (Expected 0, got 0) :: [ BEGIN ] :: Running 'kdestroy -A' :: [ PASS ] :: Command 'kdestroy -A' (Expected 0, got 0) :: [ BEGIN ] :: Running 'echo Secret123|kinit aduser1' Password for aduser1: :: [ PASS ] :: Command 'echo Secret123|kinit aduser1' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ssh -K -l aduser1 ipaqavmh.rdustv1911.test 'id -Z' > ipa_trust_func_bug_1075663.GCLRFD 2>&1' :: [ PASS ] :: Command 'ssh -K -l aduser1 ipaqavmh.rdustv1911.test 'id -Z' > ipa_trust_func_bug_1075663.GCLRFD 2>&1' (Expected 0, got 0) :: [ BEGIN ] :: Running 'cat ipa_trust_func_bug_1075663.GCLRFD' staff_u:staff_r:staff_t:s0-s0:c0.c1023 :: [ PASS ] :: Command 'cat ipa_trust_func_bug_1075663.GCLRFD' (Expected 0, got 0) :: [ PASS ] :: File 'ipa_trust_func_bug_1075663.GCLRFD' should contain 'staff_u.*:s0-s0:c0.c1023' :: [ BEGIN ] :: Running 'ssh -K -l aduser1 ipaqavmh.rdustv1911.test 'id -Z' > ipa_trust_func_bug_1075663.GCLRFD 2>&1' :: [ PASS ] :: Command 'ssh -K -l aduser1 ipaqavmh.rdustv1911.test 'id -Z' > ipa_trust_func_bug_1075663.GCLRFD 2>&1' (Expected 0, got 0) :: [ BEGIN ] :: Running 'cat ipa_trust_func_bug_1075663.GCLRFD' staff_u:staff_r:staff_t:s0-s0:c0.c1023 :: [ PASS ] :: Command 'cat ipa_trust_func_bug_1075663.GCLRFD' (Expected 0, got 0) :: [ PASS ] :: File 'ipa_trust_func_bug_1075663.GCLRFD' should contain 'staff_u.*:s0-s0:c0.c1023' :: [ BEGIN ] :: Running 'ssh -K -l 'IPAAD2012R2duser1' ipaqavmh.rdustv1911.test 'id -Z' > ipa_trust_func_bug_1075663.GCLRFD 2>&1' :: [ PASS ] :: Command 'ssh -K -l 'IPAAD2012R2\aduser1' ipaqavmh.rdustv1911.test 'id -Z' > ipa_trust_func_bug_1075663.GCLRFD 2>&1' (Expected 0, got 0) :: [ BEGIN ] :: Running 'cat ipa_trust_func_bug_1075663.GCLRFD' staff_u:staff_r:staff_t:s0-s0:c0.c1023 :: [ PASS ] :: Command 'cat ipa_trust_func_bug_1075663.GCLRFD' (Expected 0, got 0) :: [ PASS ] :: File 'ipa_trust_func_bug_1075663.GCLRFD' should contain 'staff_u.*:s0-s0:c0.c1023' :: [ BEGIN ] :: Running 'ssh -K -l 'ipaad2012r2duser1' ipaqavmh.rdustv1911.test 'id -Z' > ipa_trust_func_bug_1075663.GCLRFD 2>&1' :: [ PASS ] :: Command 'ssh -K -l 'ipaad2012r2\aduser1' ipaqavmh.rdustv1911.test 'id -Z' > ipa_trust_func_bug_1075663.GCLRFD 2>&1' (Expected 0, got 0) :: [ BEGIN ] :: Running 'cat ipa_trust_func_bug_1075663.GCLRFD' staff_u:staff_r:staff_t:s0-s0:c0.c1023 :: [ PASS ] :: Command 'cat ipa_trust_func_bug_1075663.GCLRFD' (Expected 0, got 0) :: [ PASS ] :: File 'ipa_trust_func_bug_1075663.GCLRFD' should contain 'staff_u.*:s0-s0:c0.c1023' :: [ PASS ] :: BZ 1075663 not found :: [ BEGIN ] :: Running 'kdestroy -A' :: [ PASS ] :: Command 'kdestroy -A' (Expected 0, got 0) :: [ BEGIN ] :: Running 'echo Secret123|kinit admin' Password for admin: :: [ PASS ] :: Command 'echo Secret123|kinit admin' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa group-del gr1075663_ext' ----------------------------- Deleted group "gr1075663_ext" ----------------------------- :: [ PASS ] :: Command 'ipa group-del gr1075663_ext' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa group-del gr1075663' ------------------------- Deleted group "gr1075663" ------------------------- :: [ PASS ] :: Command 'ipa group-del gr1075663' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa selinuxusermap-del selinux_1075663' ------------------------------------------ Deleted SELinux User Map "selinux_1075663" ------------------------------------------ :: [ PASS ] :: Command 'ipa selinuxusermap-del selinux_1075663' (Expected 0, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa_trust_func_bug_1073635: IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 07:55:09 ] :: First make sure selinuxusermap is to unconfined... :: [ BEGIN ] :: Running 'service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start' Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service :: [ PASS ] :: Command 'service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start' (Expected 0, got 0) :: [ BEGIN ] :: Running 'kdestroy -A' :: [ PASS ] :: Command 'kdestroy -A' (Expected 0, got 0) :: [ BEGIN ] :: Running 'echo Secret123|kinit aduser1' Password for aduser1: :: [ PASS ] :: Command 'echo Secret123|kinit aduser1' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ssh -K -l aduser1 ipaqavmh.rdustv1911.test 'id -Z' > ipa_trust_func_bug_1073635.HvhL70 2>&1' :: [ PASS ] :: Command 'ssh -K -l aduser1 ipaqavmh.rdustv1911.test 'id -Z' > ipa_trust_func_bug_1073635.HvhL70 2>&1' (Expected 0, got 0) :: [ BEGIN ] :: Running 'cat ipa_trust_func_bug_1073635.HvhL70' unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 :: [ PASS ] :: Command 'cat ipa_trust_func_bug_1073635.HvhL70' (Expected 0, got 0) :: [ PASS ] :: File 'ipa_trust_func_bug_1073635.HvhL70' should contain 'unconfined_u.*:s0-s0:c0.c1023' :: [ 07:55:19 ] :: Now Setup groups and selinuxusermap rule :: [ BEGIN ] :: Running 'kdestroy -A' :: [ PASS ] :: Command 'kdestroy -A' (Expected 0, got 0) :: [ BEGIN ] :: Running 'echo Secret123|kinit admin' Password for admin: :: [ PASS ] :: Command 'echo Secret123|kinit admin' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa group-add --desc=0 gr1073635' ----------------------- Added group "gr1073635" ----------------------- Group name: gr1073635 Description: 0 GID: 1039800007 :: [ PASS ] :: Command 'ipa group-add --desc=0 gr1073635' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa group-add --desc=0 gr1073635_ext --external' --------------------------- Added group "gr1073635_ext" --------------------------- Group name: gr1073635_ext Description: 0 :: [ PASS ] :: Command 'ipa group-add --desc=0 gr1073635_ext --external' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa group-add-member gr1073635 --groups=gr1073635_ext' Group name: gr1073635 Description: 0 GID: 1039800007 Member groups: gr1073635_ext ------------------------- Number of members added 1 ------------------------- :: [ PASS ] :: Command 'ipa group-add-member gr1073635 --groups=gr1073635_ext' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa group-add-member gr1073635_ext --users='' --groups='' --external='aduser1'' Group name: gr1073635_ext Description: 0 External member: S-1-5-21-547465014-1205121312-3291251547-1105 Member of groups: gr1073635 ------------------------- Number of members added 1 ------------------------- :: [ PASS ] :: Command 'ipa group-add-member gr1073635_ext --users='' --groups='' --external='aduser1'' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa selinuxusermap-add --selinuxuser='staff_u:s0-s0:c0.c1023' selinux_1073635' ---------------------------------------- Added SELinux User Map "selinux_1073635" ---------------------------------------- Rule name: selinux_1073635 SELinux User: staff_u:s0-s0:c0.c1023 Enabled: TRUE :: [ PASS ] :: Command 'ipa selinuxusermap-add --selinuxuser='staff_u:s0-s0:c0.c1023' selinux_1073635' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa selinuxusermap-add-user selinux_1073635 --groups=gr1073635' Rule name: selinux_1073635 SELinux User: staff_u:s0-s0:c0.c1023 Enabled: TRUE User Groups: gr1073635 ------------------------- Number of members added 1 ------------------------- :: [ PASS ] :: Command 'ipa selinuxusermap-add-user selinux_1073635 --groups=gr1073635' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa selinuxusermap-add-host selinux_1073635 --hosts=ipaqavmh.rdustv1911.test' Rule name: selinux_1073635 SELinux User: staff_u:s0-s0:c0.c1023 Enabled: TRUE User Groups: gr1073635 Hosts: ipaqavmh.rdustv1911.test ------------------------- Number of members added 1 ------------------------- :: [ PASS ] :: Command 'ipa selinuxusermap-add-host selinux_1073635 --hosts=ipaqavmh.rdustv1911.test' (Expected 0, got 0) :: [ 07:55:37 ] :: Now test selinuxusermap rule :: [ BEGIN ] :: Running 'service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start' Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service :: [ PASS ] :: Command 'service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start' (Expected 0, got 0) :: [ BEGIN ] :: Running 'kdestroy -A' :: [ PASS ] :: Command 'kdestroy -A' (Expected 0, got 0) :: [ BEGIN ] :: Running 'echo Secret123|kinit aduser1' Password for aduser1: :: [ PASS ] :: Command 'echo Secret123|kinit aduser1' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ssh -K -l aduser1 ipaqavmh.rdustv1911.test 'id -Z' > ipa_trust_func_bug_1073635.HvhL70 2>&1' :: [ PASS ] :: Command 'ssh -K -l aduser1 ipaqavmh.rdustv1911.test 'id -Z' > ipa_trust_func_bug_1073635.HvhL70 2>&1' (Expected 0, got 0) :: [ BEGIN ] :: Running 'cat ipa_trust_func_bug_1073635.HvhL70' staff_u:staff_r:staff_t:s0-s0:c0.c1023 :: [ PASS ] :: Command 'cat ipa_trust_func_bug_1073635.HvhL70' (Expected 0, got 0) :: [ PASS ] :: File 'ipa_trust_func_bug_1073635.HvhL70' should contain 'staff_u.*:s0-s0:c0.c1023' :: [ 07:55:48 ] :: Now cleanup groups and rules :: [ BEGIN ] :: Running 'kdestroy -A' :: [ PASS ] :: Command 'kdestroy -A' (Expected 0, got 0) :: [ BEGIN ] :: Running 'echo Secret123|kinit admin' Password for admin: :: [ PASS ] :: Command 'echo Secret123|kinit admin' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa group-del gr1073635' ------------------------- Deleted group "gr1073635" ------------------------- :: [ PASS ] :: Command 'ipa group-del gr1073635' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa group-del gr1073635_ext' ----------------------------- Deleted group "gr1073635_ext" ----------------------------- :: [ PASS ] :: Command 'ipa group-del gr1073635_ext' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa selinuxusermap-del selinux_1073635' ------------------------------------------ Deleted SELinux User Map "selinux_1073635" ------------------------------------------ :: [ PASS ] :: Command 'ipa selinuxusermap-del selinux_1073635' (Expected 0, got 0) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0441.html |