Bug 2320133

Summary:	When installing sssd-ipa package in rpm-ostree image, selinux_child loses capabilities defined in the RPM package
Product:	[Fedora] Fedora	Reporter:	Alexander Bokovoy <abokovoy>
Component:	bootc	Assignee:	Colin Walters <walters>
Status:	CLOSED ERRATA	QA Contact:
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	41	CC:	abokovoy, amurdaca, atikhono, coreos-sig, dustymabe, jmarrero, jonathan, lslebodn, miabbott, mzidek, pbrezina, philip.wyett, sbose, ssorce, sssd-maintainers, travier, walters
Target Milestone:	---	Flags:	fedora-admin-xmlrpc: mirror+
Target Release:	---
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:	bootc-1.1.2-2.fc41	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2024-11-16 02:13:59 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Alexander Bokovoy 2024-10-21 07:51:24 UTC

If rpm-ostree-based image includes sssd-ipa, the resulting /usr/libexec/sssd/selinux_child does not have expected file capabilities present:

# getcap -v /usr/libexec/sssd/*child
/usr/libexec/sssd/gpo_child
/usr/libexec/sssd/krb5_child cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep
/usr/libexec/sssd/ldap_child cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep
/usr/libexec/sssd/oidc_child
/usr/libexec/sssd/p11_child
/usr/libexec/sssd/passkey_child
/usr/libexec/sssd/proxy_child
/usr/libexec/sssd/selinux_child

The capabilities are present in the RPM database:
$ rpm -q --filecaps sssd-ipa | grep selinux_child
/usr/libexec/sssd/selinux_child	cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep

Lack of capabilities on the selinux_child causes PAM account phase to fail:

(2024-10-21 10:11:05): [be[example.test]] [selinux_child_done] (0x0020): [RID#5] selinux_child_parse_response failed: [22][Invalid argument]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
   *  (2024-10-21 10:11:05): [be[example.test]] [sdap_handle_release] (0x2000): Trace: sh[0x56040e7054d0], connected[1], ops[(nil)], ldap[0x56040e74efb0], destructor_lock[0], release_memory[0]
   *  (2024-10-21 10:11:05): [be[example.test]] [remove_connection_callback] (0x4000): Successfully removed connection callback.
   *  (2024-10-21 10:11:05): [be[example.test]] [_read_pipe_handler] (0x0400): [RID#5] EOF received, client finished
   *  (2024-10-21 10:11:05): [be[example.test]] [selinux_child_done] (0x0020): [RID#5] selinux_child_parse_response failed: [22][Invalid argument]
********************** BACKTRACE DUMP ENDS HERE *********************************


Reproducible: Always

Steps to Reproduce:
1. Build an image with sssd-ipa package installed
2. Rebase to this image with rpm-ostree rebase REFSPEC
3. Enroll the system to IPA domain
4. Attempt to login as IPA user

Actual Results:  
Failure to login, with a result in the logs 'System error'

Expected Results:  
Login to system with IPA user is successful

Comment 1 Alexander Bokovoy 2024-10-21 07:54:08 UTC

A workaround at this point is to switch off selinux_provider in IPA domain definition in sssd configuration:

[domain/example.test]
...
selinux_provider = none


This workaround requires being able to login as root.

Since the whole system image is immutable, an alternative could be to make it mutable and set required capabilities manually. The latter will then be lost on next automated image rebase, sadly.

Comment 2 Alexander Bokovoy 2024-10-21 07:57:43 UTC

The loss of file capabilities for images built on top of the base Fedora rpm-ostree image is documented in https://github.com/hhd-dev/rechunk/issues/2 which is a collection of various issues with rpm-ostree/bootc build process.

This bug should be considered a blocker for supporting proper working SSSD and FreeIPA under rpm-ostree and bootc environments. As default Fedora bootc image would not have FreeIPA packages installed, users always need to build a new image and thus will be affected by these issues.

Comment 3 Alexey Tikhonov 2024-10-21 08:18:37 UTC

This - losing file capabilities defined in spec-file - doesn't look like SSSD bug, rather general issue of rpm-ostree.
Please change component back if there is a known pattern package should follow to solve this.

Comment 4 Fedora Update System 2024-11-07 00:52:32 UTC

FEDORA-2024-88b4110a60 (bootc-1.1.2-2.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-88b4110a60

Comment 5 Colin Walters 2024-11-07 00:58:10 UTC

bootc is the focus for containerized deployments.
https://github.com/coreos/rpm-ostree/pull/5145 includes the fix for rpm-ostree, but we haven't yet done a release.

Comment 6 Fedora Update System 2024-11-08 02:11:31 UTC

FEDORA-2024-88b4110a60 has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-88b4110a60`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-88b4110a60

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2024-11-16 02:13:59 UTC

FEDORA-2024-88b4110a60 (bootc-1.1.2-2.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.