Bug 1562606

Summary: validate_selinuxuser does not allow a period in selinux user identifier
Product: [Fedora] Fedora Reporter: dac.override
Component: freeipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: abokovoy, cheimes, ipa-maint, jcholast, jhrozek, pvoborni, rcritten, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: freeipa-4.6.90.pre2-3.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-24 13:56:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description dac.override 2018-04-01 12:11:42 UTC 
Description of problem:

https://github.com/freeipa/freeipa/blob/beb6d74b81eae9965ddc031db1a3826c01d59d30/ipaserver/plugins/selinuxusermap.py#L104

The above code seems to do some "sanity" checks that forces one to use selinux user identities with only "aZ" and "_"

The CIL selinux policy language leverages "name spaces" so would be nice if we can use that.

Example:

unconfined_u would be unconfined.u

Do we need these sanity checks at all though? I would explect that libsemanage takes care of this for us?

The mls checks also seem to assume that one has no more than 15 sensitivities. There is no hard limit to 15 in practice.
Comment 1 Rob Crittenden 2018-04-01 16:30:36 UTC 
If there is a python binding to libsemanage to do the validation that would definitely be preferable to the IPA checking.

The checks are there to try to help guide the user (the syntax is not exactly obvious) and typos/errors may not be detected until the user actually tries to apply things on a system so determining source of a problem might not be obvious. At least that was the thinking at the time this was implemented.
Comment 2 dac.override 2018-04-03 09:17:45 UTC 
Can you then at least allow periods in names in addition to underscores?

If you allow periods then I believe at least I will be able to tell sss selinux child about my selinux users, and hopefully that then allows me to actually log in.

These checks should ideally be re-done because the assumptions made limit functionality (ie. only _ in names, only 16 levels, only 1024 categories)

Not to mention that even if it does not detect typos/errors, that does not mean that when the user tries to apply things that it will work.

For example just because there are 15 levels and 1024 compartments, that does not have to mean that the user is authorized to associate with all of them. Your test would allow it but the sss selinux child transaction might still fail because the range does not fall into the permissible range.
Comment 3 Rob Crittenden 2018-04-03 14:10:39 UTC 
I'm ok adding period to the regex.

You point out the very real deficiencies in this, all related to the disconnect between setting the rules and what may actually exist on a remote system. I don't have an answer for that.

I added the validation so the admin would have a fighting chance of at least having the syntax approaching correctness. It is the best we can do (assuming we actually enforce the syntax properly of course).
Comment 4 dac.override 2018-04-03 14:17:39 UTC 
Understood and I suppose ideally there should be a set of functions provided by libsemanage to check these things before "commiting". Maybe they are there already, I am not familiar enough with the code to determine that. However if that functionality is not there then that is unsurprising since traditionally the only programmatic way to add selinux login entries was through semanage itself.
Comment 5 dac.override 2018-04-03 14:37:11 UTC 
Regardless, a really water tight sanity check cannot be performed upfront I believe. One probably should not waste many cycles trying to do it.

What is more important though is that consumers of this information (like sss) print informative information on the remote hosts as it fails to commit a login mapping when a user tries to log into a remote system that does not allow the specified mapping for the specified user/group@host.
Comment 6 Rob Crittenden 2018-04-23 18:11:00 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7510
Comment 7 Christian Heimes 2018-04-25 06:28:05 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/9d73e4a0f169acc3db6388ae8b8e2ecb1e1c62aa
Comment 8 Christian Heimes 2018-04-25 09:01:19 UTC 
Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/810348f520c7fee7fa3f2a3a833d0ed066b8a7f1
Comment 9 Fedora Update System 2018-05-16 11:52:17 UTC 
freeipa-4.6.90.pre2-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-93dfeefc68
Comment 10 Fedora Update System 2018-05-16 15:13:37 UTC 
freeipa-4.6.90.pre2-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-93dfeefc68
Comment 11 Fedora Update System 2018-05-24 13:56:38 UTC 
freeipa-4.6.90.pre2-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.