Bug 1198480

Summary: With empty ipaselinuxusermapdefault security context on client is staff_u
Product: Red Hat Enterprise Linux 6 Reporter: Martin Kosek <mkosek>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED DUPLICATE QA Contact: Kaushik Banerjee <kbanerje>
Severity: high Docs Contact:
Priority: medium    
Version: 6.7CC: grajaiya, jgalipea, jhrozek, kbanerje, lmiksik, lslebodn, mkosek, mzidek, nsoman, pbrezina, preichl, rcritten, sgoveas
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1192314 Environment:
Last Closed: 2015-03-04 09:58:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1192314    
Bug Blocks: 1194302    

Description Martin Kosek 2015-03-04 09:00:15 UTC 
+++ This bug was initially created as a clone of Bug #1192314 +++

Description of problem:
Default security context for users on client becomes staff_u:staff_r:staff_t:s0-s0:c0.c1023 when ipaselinuxusermapdefault is not set

Version-Release number of selected component (if applicable):
ipa-server-4.1.0-18.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Setup trust
2. Remove default selinux user
3. check security contest of user 

Actual results:
On IPA Master

[root@bumblebee ~]# ipa config-mod --ipaselinuxusermapdefault=

[root@bumblebee ~]# ipa config-show
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: slnx2k8r2.test
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=SLNX2K8R2.TEST
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default PAC types: nfs:NONE, MS-PAC


[root@bumblebee ~]# kdestroy -A

[root@bumblebee ~]# echo Secret123| kinit au102130134
Password for au102130134: 

[root@bumblebee ~]# ssh -l au102130134 `hostname` id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

On Client

[root@vm-idm-033 ~]# service sssd stop; rm -rf /var/lib/sssd/{db,mc}/*; service sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

[root@vm-idm-033 ~]# kdestroy -A

[root@vm-idm-033 ~]# echo Secret123| kinit au102130134
Password for au102130134: 

[root@vm-idm-033 ~]# ssh -l au102130134 `hostname` id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023



Expected results:
[root@vm-idm-033 ~]# ssh -l au102130134 `hostname` id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Comment 1 Martin Kosek 2015-03-04 09:58:17 UTC 
I did not notice this is a duplicate. Sorry for the fuzz, closing.

*** This bug has been marked as a duplicate of bug 1194302 ***