Bug 1184982

Summary: Need to set different umask in selinux_child
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: high Docs Contact:
Priority: urgent    
Version: 7.0CC: drieden, grajaiya, jgalipea, jhrozek, lmiksik, lslebodn, mkosek, mvadkert, mzidek, nkarandi, pbrezina, preichl
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.12.2-52.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:35:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 717785    

Description Jakub Hrozek 2015-01-22 15:50:53 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2563

libsemanage calls mkdir() and then requires that the directory is created with permissions 0700. That doesn't work well for programs like sssd that set umask to a very restrictive value (like 177).

I consider this a bug in libsemanage, since they require custom permissions, they should set a sensible umask themselves, but we need to work around it for the short term.
Comment 1 Jakub Hrozek 2015-01-22 15:51:44 UTC 
User-visible effect might be that the directory /etc/selinux/targeted/modules/active is created with wrong permissions, preventing the semanage tools from working correctly.
Comment 3 Jakub Hrozek 2015-01-26 21:47:08 UTC 
To test:

0) set up an IPA client
1) Run ls -ld /etc/selinux/targeted/modules/active
   Note the access permissions and rights.
2) log in as an user who has a SELinux label assigned
3) Run ls -ld /etc/selinux/targeted/modules/active again

With the unpatched sssd, the permissions on the directory would be altered. The patched packages honor the permission libsemanage wants.
Comment 7 Jakub Hrozek 2015-01-27 17:12:38 UTC 
Fixed upstream:
    master: 8f78b6442f3176ee43aa06704a3adb9f4ac625d6
    sssd-1-12: b8894eb53017af67224d05470d2cdd2a65070a41
Comment 9 Nirupama Karandikar 2015-01-30 12:49:40 UTC 
Tested with sssd-1.12.2-52.el7.x86_64

1. Configure system as IPA client.

2. Check permissions of the following directory.

#  ls -ld /etc/selinux/targeted/modules/active
drwx------. 3 root root 4096 Jan 30 20:46 /etc/selinux/targeted/modules/active

3. Login with ipauser1
 
# ssh ipauser1@localhost
ipauser1@localhost's password: 
Last login: Fri Jan 30 20:45:43 2015 from localhost
-sh-4.2$ pwd
/home/ipauser1

4. Check permissions of the same directory. 

-sh-4.2$ ls -ld /etc/selinux/targeted/modules/active
drwx------. 3 root root 4096 Jan 30 20:46 /etc/selinux/targeted/modules/active
Comment 10 Miroslav Vadkerti 2015-02-03 10:36:20 UTC 
Confirmed. This bug is fixed with sssd-1.12.2-52.el7, there is a selinux-policy issue remaining though, but that will be resolved in BZ#1185962
Comment 12 errata-xmlrpc 2015-03-05 10:35:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0441.html