Bug 1665058

Summary: with-smartcard-required feature requires Smartcard authentication for more services than in RHEL7
Product: Red Hat Enterprise Linux 8 Reporter: Sumit Bose <sbose>
Component: authselectAssignee: Pavel Březina <pbrezina>
Status: CLOSED CURRENTRELEASE QA Contact: Steeve Goveas <sgoveas>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: aakkiang, cpelland, mkosek, rpattath, sbose, spoore, wchadwic
Target Milestone: rcKeywords: Regression, TestBlocker
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: authselect-1.0-12.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-14 00:56:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1652753    

Description Sumit Bose 2019-01-10 12:21:39 UTC 
Description of problem:
While testing https://bugzilla.redhat.com/show_bug.cgi?id=1649277 is was found that authselect's with-smartcard-required feature forces Smartcard authentication for more services then the corresponding option of authconfig in RHEL7 (authselect replaces authconfig in RHEL8). This affects especially the su and sudo services.
Comment 3 Roshni 2019-01-14 19:19:50 UTC 
Using sssd-2.0.0-36.el8 I am seeing the issue mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1649277#c13. Sumit suggested to try the following config

Add 'require_cert_auth' to the 'auth        sufficient                                   pam_sss.so allow_missing_name' line in /etc/pam.d/smartcard-auth, restart gdm and try again.

I tried but I still see the issue.
Comment 5 Pavel Březina 2019-01-23 12:25:15 UTC 
I see there is a secalert in provided logs from c#14:

Jan 10 11:26:25 dhcp129-43 platform-python[6466]: SELinux is preventing /usr/libexec/sssd/p11_child from search access on the directory .config.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that p11_child should be allowed search access on the .config directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'p11_child' --raw | audit2allow -M my-p11child#012# semodule -X 300 -i my-p11child.pp#012

Perhaps it would help to fix this? See the end of the message:
#012Do#012allow this access for now by executing:#012# ausearch -c 'p11_child' --raw | audit2allow -M my-p11child#012# semodule -X 300 -i my-p11child.pp#012
Comment 6 Sumit Bose 2019-01-23 13:05:46 UTC 
(In reply to Pavel Březina from comment #5)
> I see there is a secalert in provided logs from c#14:
> 
> Jan 10 11:26:25 dhcp129-43 platform-python[6466]: SELinux is preventing
> /usr/libexec/sssd/p11_child from search access on the directory
> .config.#012#012*****  Plugin catchall (100. confidence) suggests  
> **************************#012#012If you believe that p11_child should be
> allowed search access on the .config directory by default.#012Then you
> should report this as a bug.#012You can generate a local policy module to
> allow this access.#012Do#012allow this access for now by executing:#012#
> ausearch -c 'p11_child' --raw | audit2allow -M my-p11child#012# semodule -X
> 300 -i my-p11child.pp#012
> 
> Perhaps it would help to fix this? See the end of the message:
> #012Do#012allow this access for now by executing:#012# ausearch -c
> 'p11_child' --raw | audit2allow -M my-p11child#012# semodule -X 300 -i
> my-p11child.pp#012

There is a know issue in p11-kit https://bugzilla.redhat.com/show_bug.cgi?id=1624930.
Comment 7 Pavel Březina 2019-01-23 13:23:53 UTC 
Ok, so it is unrelated to the issue in gdm?

If I understand it correctly, the bug described in the first comment of this page can be fixed by changing to:
auth        [success=1 default=ignore]                   pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid

Is that correct?

Is there any progress on the second issue described at https://bugzilla.redhat.com/show_bug.cgi?id=1649277#c13 ?
Comment 8 Pavel Březina 2019-02-04 13:36:41 UTC 
Upstream PR:
https://github.com/pbrezina/authselect/pull/135
Comment 13 Roshni 2019-02-21 21:18:08 UTC 
Using authselect-1.0-12.el8.x86_64 I am able to su to root after smartcard login when authconfig --enablesssd --enablesssdauth --enablesmartcard --enablerequiresmartcard --updateall but I still see https://bugzilla.redhat.com/show_bug.cgi?id=1649277#c13
Comment 14 Sumit Bose 2019-02-22 06:08:47 UTC 
(In reply to Roshni from comment #13)
> Using authselect-1.0-12.el8.x86_64 I am able to su to root after smartcard
> login when authconfig --enablesssd --enablesssdauth --enablesmartcard
> --enablerequiresmartcard --updateall but I still see
> https://bugzilla.redhat.com/show_bug.cgi?id=1649277#c13

Yes, that's expected since authselect-1.0-12.el8.x86_64 does not include a fix for this. This issue is tracked separately in https://bugzilla.redhat.com/show_bug.cgi?id=1674397.
Comment 15 Roshni 2019-02-22 14:24:35 UTC 
Thank you Sumit. Based on comment 13 marking this bug verified.