Bug 1679944

Summary: Unable to ssh as IPA-AD-User with SELinux user map
Product: Red Hat Enterprise Linux 8 Reporter: anuja <amore>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: lvrabec, mgrepl, mmalik, plautrba, ssekidde, zpytela
Target Milestone: rcKeywords: Regression
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-22 10:45:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1778780    

Description anuja 2019-02-22 10:13:40 UTC 
Description of problem:
Not able to ssh when selinuxusermap is applied on AD-User.


Version-Release number of selected component (if applicable):
selinux-policy-3.14.1-59.el8.noarch
ipa-server-4.7.1-10.module+el8+2699+aa606a46.x86_64

Setup 
User is part of ad_testgrp1

Step 1:
ipa selinuxusermap-add selinuxusermap4_0 --selinuxuser=xguest_u:s0
ipa selinuxusermap-mod selinuxusermap4_0 --hbacrule=allow_all
ssh -l 'aduser' $hostname 'id -Z' Fails with returncode 254
Expected : after ssh output should contain = xguest_u:.*s0


Step 2:
ipa selinuxusermap-del selinuxusermap4_0
systemctl restart systemd-logind
ssh -l 'aduser' $hostname 'id -Z' Fails with returncode 254
Expected : after ssh output should contain 'unconfined_u:.*s0-s0:c0.c1023
 

Additional Info : In permissive mode this works.
Comment 4 Lukas Vrabec 2019-02-22 10:45:34 UTC 

*** This bug has been marked as a duplicate of bug 1679236 ***