Bug 1619706
| Summary: | sssd only sets the SELinux login context if it differs from the default | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | German Parente <gparente> | ||||
| Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | ||||
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 7.5 | CC: | gparente, grajaiya, jhrozek, ksiddiqu, lslebodn, mkosek, mzidek, pbrezina, plautrba, rblakley, rmetrich, sgoveas, ssidhaye, tmihinto, toneata, tscherf, zpytela | ||||
| Target Milestone: | rc | Keywords: | Regression, ZStream | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | sssd-1.16.2-14.el7 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1628503 1645044 1645047 (view as bug list) | Environment: | |||||
| Last Closed: | 2019-08-06 13:02:02 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1628503, 1645044, 1645047 | ||||||
| Attachments: |
|
||||||
Is this connected to the case we discussed yesterday with the homedir permissions? Because from the description only, I don't see why this is an issue, it's an optimization. As you can see, __default__ is unconfined_u and if the 7.5 version doesn't set unconfined_u explicitly, the default will apply. btw does this issue happen also if you set the SELinux mapping to something else than unconfined? In other words, is this an issue with setting the context or just not setting the default context. Yes it is connected. The issue with this "optimization" is that users which are mapped to default "unconfined_u" are not mapped anymore. This breaks if homedir for user is *not* the standard one, i.e.: - /home/<user> or - /home/<domain>/<user> and no equivalency context has been put in place for /home/<domain> or - some other dir e.g. /opt/home/<user> which is defined in backend's user entry and no equivalency context has been put in place manually Yes, I just confirmed that with Petr Lautrbach. We need to fix this in SSSD, I guess. Removing the optimization would be easy, but then every login would incur a substantial IO hit, because setting the context is quite costly. We've already had users disabling the selinux provider just to get better performance, even with this optimization. I guess the mapping needs to be done only if user's home dir will not have appropriate context. This check needs probably to be done through some new libsemanage API ... I think I have a local patch that fixes the issue. Is it possible if either of you test a package I provide? Created attachment 1480598 [details]
test_selinux
Upstream ticket: https://pagure.io/SSSD/sssd/issue/3819 Builds used for verification:
[root@kvm-01-guest03 ~]# rpm -qa sssd ipa-server
ipa-server-4.6.5-8.el7.x86_64
sssd-1.16.4-13.el7.x86_64
Steps:
1. ipa user-add testuser2 --first test2 --last user --password
2. ssh testuser2.test
3. semanage login -l
Actual Results:
[root@kvm-01-guest03 ~]# ipa user-add testuser2 --first test2 --last user --password
Password:
Enter Password again to verify:
----------------------
Added user "testuser2"
----------------------
User login: testuser2
First name: test2
Last name: user
Full name: test2 user
Display name: test2 user
Initials: tu
Home directory: /home/testuser2
GECOS: test2 user
Login shell: /bin/sh
Principal name: testuser2
Principal alias: testuser2
User password expiration: 20190516064618Z
Email address: testuser2
UID: 628800004
GID: 628800004
Password: True
Member of groups: ipausers
Kerberos keys available: True
[root@kvm-01-guest03 ~]# hostname
kvm-01-guest03.testrelm.test
[root@kvm-01-guest03 ~]# ssh testuser2.test
Password:
Password expired. Change your password now.
Current Password:
Password change failed. Server message: Old password not accepted.
Password:
Password expired. Change your password now.
Current Password:
New password:
Retype new password:
Last failed login: Thu May 16 09:47:10 IDT 2019 from kvm-01-guest03.testrelm.test on ssh:notty
There was 1 failed login attempt since the last successful login.
** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **
This System is reserved by ssidhaye.
To return this system early. You can run the command: return2beaker.sh
Ensure you have your logs off the system before returning to Beaker
To extend your reservation time. You can run the command:
extendtesttime.sh
This is an interactive script. You will be prompted for how many
hours you would like to extend the reservation.
You should verify the watchdog was updated succesfully after
you extend your reservation.
https://beaker.engineering.redhat.com/recipes/6867964
For ssh, kvm, serial and power control operations please look here:
https://beaker.engineering.redhat.com/view/kvm-01-guest03.testrelm.test
For the default root password, see:
https://beaker.engineering.redhat.com/prefs/
Beaker Test information:
HOSTNAME=kvm-01-guest03.testrelm.test
JOBID=3538096
RECIPEID=6867964
RESULT_SERVER=[::1]:7095
DISTRO=RHEL-7.7-20190514.n.0
ARCHITECTURE=x86_64
Job Whiteboard: 7.7-candidate ssidhaye BZ verification
Recipe Whiteboard: M
** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **
Could not chdir to home directory /home/testuser2: No such file or directory
-sh-4.2$ logout
Connection to kvm-01-guest03.testrelm.test closed.
[root@kvm-01-guest03 ~]# semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
test201 unconfined_u s0-s0:c0.c1023 *
testuser unconfined_u s0-s0:c0.c1023 *
testuser2 unconfined_u s0-s0:c0.c1023 *
Based on above observations marking the bugzilla verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2177 |
Description of problem: We have a difference between sssd 7.4 and sssd 7.5 In 7.4 semanage is called and the selinux mapping is set. In 7.5 it's not called. We can see this here: ret = sss_get_seuser(username, &db_seuser, &db_mls_range); DEBUG(SSSDBG_TRACE_INTERNAL, "getseuserbyname: ret: %d seuser: %s mls: %s\n", ret, db_seuser ? db_seuser : "unknown", db_mls_range ? db_mls_range : "unknown"); if (ret == EOK && db_seuser && db_mls_range && strcmp(db_seuser, seuser) == 0 && strcmp(db_mls_range, mls_range) == 0) { needs_update = false; } The function seuser_needs_update is returning FALSE. After adding some DEBUG to RHEL7.5 code: (Tue Aug 21 09:54:21 2018) [[sssd[selinux_child[4368]]]] [seuser_needs_update] (0x2000): getseuserbyname: ret: 0 seuser: unconfined_u mls: s0-s0:c0.c1023 (Tue Aug 21 09:54:21 2018) [[sssd[selinux_child[4368]]]] [seuser_needs_update] (0x2000): needs_update is false So, this is not called: if (needs_update == true) { ret = sc_set_seuser(username, ibuf->seuser, ibuf->mls_range); IN RHEL7.5: logging with user gparente that has: Home directory: /foo/gparente semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 * in RHEL7.4 after logging with same user: semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * admin unconfined_u s0-s0:c0.c1023 * ... gparente unconfined_u s0-s0:c0.c1023 * ... root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 * Version-Release number of selected component (if applicable): sssd-1.16.0-19.el7_5.5.x86_64 How reproducible: always.