Bug 1993081

Summary: Regression: /CoreOS/shadow-utils/Regression/bz955769-useradd-not-assigning-correct-SELinux-user-to
Product: Red Hat Enterprise Linux 9 Reporter: Iker Pedrosa <ipedrosa>
Component: shadow-utilsAssignee: Iker Pedrosa <ipedrosa>
Status: CLOSED ERRATA QA Contact: Anuj Borah <aborah>
Severity: unspecified Docs Contact:
Priority: high    
Version: 9.0CC: aborah, atikhono, cbuissar, pbrezina, plautrba
Target Milestone: betaKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira review
Fixed In Version: shadow-utils-4.9-3.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 15:59:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Iker Pedrosa 2021-08-12 10:43:47 UTC 
Description of problem:
Regression of "/CoreOS/shadow-utils/Regression/bz955769-useradd-not-assigning-correct-SELinux-user-to" when ported upstream release 4.9.

Version-Release number of selected component (if applicable):
shadow-utils-4.9-1.el9

How reproducible:
Execute the test

Additional information:
http://artifacts.osci.redhat.com/baseos-ci/brew-build/38/91/47/38914777/https___baseos-jenkins.rhev-ci-vms.eng.rdu2.redhat.com-ci-artemis/14789/tmpofdDAW.01/recipes/1/tasks/16/results/1628756315/logs/resultoutputfile.log
Comment 7 Petr Lautrbach 2021-10-07 12:38:14 UTC 
set_selinux_file_context() doesn't close selabel_hnd [1]. It means that
old file_contexts.* files are still mapped and used for selabel_lookup
even though there are new versions on the filesystem.

Simply adding selabel_close() to the end of set_selinux_file_context()
would probably have some performance impact so I'd add a new
function to selinux.c which would expose static void cleanup(void) to
other modules and call this function after a new selinux user mapping is added.

[1] https://github.com/shadow-maint/shadow/blob/master/lib/selinux.c#L76

e.g.


diff --git a/lib/prototypes.h b/lib/prototypes.h
index 688ad012ad00..d2b928f986bd 100644
--- a/lib/prototypes.h
+++ b/lib/prototypes.h
@@ -401,6 +401,7 @@ extern /*@observer@*/const char *crypt_make_salt (/*@null@*//*@observer@*/const
 /* selinux.c */
 #ifdef WITH_SELINUX
 extern int set_selinux_file_context (const char *dst_name, mode_t mode);
+extern void reset_selinux_handle ();
 extern int reset_selinux_file_context (void);
 extern int check_selinux_permit (const char *perm_name);
 #endif
diff --git a/lib/selinux.c b/lib/selinux.c
index c83545f99a4d..d78942dc2472 100644
--- a/lib/selinux.c
+++ b/lib/selinux.c
@@ -50,6 +50,10 @@ static void cleanup(void)
        }
 }
 
+void reset_selinux_handle () {
+       cleanup();
+}
+
 /*
  * set_selinux_file_context - Set the security context before any file or
  *                            directory creation.
diff --git a/src/useradd.c b/src/useradd.c
index 21da51b576f9..a4bf337cc42c 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -2587,6 +2587,7 @@ int main (int argc, char **argv)
 #endif                         /* WITH_AUDIT */
                        fail_exit (E_SE_UPDATE);
                }
+               reset_selinux_handle();
        }
 #endif                         /* WITH_SELINUX */
Comment 8 Iker Pedrosa 2021-11-12 15:50:11 UTC 
@aborah can you provide qa_ack? In order to verify this bugzilla you only need to execute the automated test already present in Regression/bz955769-useradd-not-assigning-correct-SELinux-user-to
Comment 13 errata-xmlrpc 2022-05-17 15:59:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: shadow-utils), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3997