Bug 1184982
Summary: | Need to set different umask in selinux_child | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jakub Hrozek <jhrozek> |
Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> |
Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> |
Severity: | high | Docs Contact: | |
Priority: | urgent | ||
Version: | 7.0 | CC: | drieden, grajaiya, jgalipea, jhrozek, lmiksik, lslebodn, mkosek, mvadkert, mzidek, nkarandi, pbrezina, preichl |
Target Milestone: | rc | Keywords: | Regression |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | sssd-1.12.2-52.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-03-05 10:35:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 717785 |
Description
Jakub Hrozek
2015-01-22 15:50:53 UTC
User-visible effect might be that the directory /etc/selinux/targeted/modules/active is created with wrong permissions, preventing the semanage tools from working correctly. To test: 0) set up an IPA client 1) Run ls -ld /etc/selinux/targeted/modules/active Note the access permissions and rights. 2) log in as an user who has a SELinux label assigned 3) Run ls -ld /etc/selinux/targeted/modules/active again With the unpatched sssd, the permissions on the directory would be altered. The patched packages honor the permission libsemanage wants. Fixed upstream: master: 8f78b6442f3176ee43aa06704a3adb9f4ac625d6 sssd-1-12: b8894eb53017af67224d05470d2cdd2a65070a41 Tested with sssd-1.12.2-52.el7.x86_64 1. Configure system as IPA client. 2. Check permissions of the following directory. # ls -ld /etc/selinux/targeted/modules/active drwx------. 3 root root 4096 Jan 30 20:46 /etc/selinux/targeted/modules/active 3. Login with ipauser1 # ssh ipauser1@localhost ipauser1@localhost's password: Last login: Fri Jan 30 20:45:43 2015 from localhost -sh-4.2$ pwd /home/ipauser1 4. Check permissions of the same directory. -sh-4.2$ ls -ld /etc/selinux/targeted/modules/active drwx------. 3 root root 4096 Jan 30 20:46 /etc/selinux/targeted/modules/active Confirmed. This bug is fixed with sssd-1.12.2-52.el7, there is a selinux-policy issue remaining though, but that will be resolved in BZ#1185962 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0441.html |