Bug 874579
| Summary: | sssd caching not working as expected for selinux usermap contexts | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Kaleem <ksiddiqu> |
| Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> |
| Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.4 | CC: | grajaiya, jgalipea, nsoman, pbrezina, tlavigne |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.9.2-67.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: SELinux usermap contexts were not ordered correctly if the SELinux mappings were using HBAC rules as a definition of what users to apply the mapping to AND if the IPA server was not reachable at the same time.
Consequence: Invalid SELinux context might be assign to a user.
Fix: SELinux usermap contexts are ordered correctly even when the client cannot reach the IPA server.
Result: Correct SELinux context is assigned to a user.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-21 09:39:47 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 895654 | ||
Upstream ticket: https://fedorahosted.org/sssd/ticket/1626 Verified.
sssd version:
=============
[root@rhel64master ipa-services]# rpm -q sssd ipa-server
sssd-1.9.2-82.el6.x86_64
ipa-server-3.0.0-24.el6.x86_64
[root@rhel64master ipa-services]#
Beaker log:
===========
:: [ LOG ] :: ipa-selinuxusermapsvc-client1-010: user1 accessing ibm-hs21-12.testrelm.com from ibm-hs21-12.testrelm.com using SSHD service.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
spawn /usr/bin/kinit -V admin
Using default cache: /tmp/krb5cc_0
Using principal: admin
Password for admin:
Authenticated to Kerberos v5
Default principal: admin
:: [08:39:12] :: kinit as admin with password xxxxxxxx was successful.
:: [ PASS ] :: Kinit as admin user
user1:*:258600014:258600014:user1 user1:/home/user1:/bin/sh
:: [ PASS ] :: Running 'getent -s sss passwd user1'
:: [ PASS ] :: Authentication successful for user1
spawn ssh -l user1 ibm-hs21-12.testrelm.com id -Z
user1.com's password:
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [ PASS ] :: Running 'cat /tmp/tmpfile.out'
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [ PASS ] :: Selinuxuser staff_u:.*s0-s0:c0.c1023 as expected
:: [ PASS ] :: Running 'verify_ssh_auth_success_selinuxuser user1 testpw123 ibm-hs21-12.testrelm.com staff_u:.*s0-s0:c0.c1023'
:: [ PASS ] :: Authentication successful for user1
spawn ssh -l user1 dell-pe1950-1.testrelm.com id -Z
user1.com's password:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [ PASS ] :: Running 'verify_ssh_auth_success_selinuxuser user1 testpw123 dell-pe1950-1.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [ PASS ] :: Authentication successful for user1
spawn ssh -l user1 hp-dl140g2-01.testrelm.com id -Z
user1.com's password:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [ PASS ] :: Running 'verify_ssh_auth_success_selinuxuser user1 testpw123 hp-dl140g2-01.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
user2:*:258600015:258600015:user2 user2:/home/user2:/bin/sh
:: [ PASS ] :: Running 'getent -s sss passwd user2'
:: [ PASS ] :: Authentication successful for user2
spawn ssh -l user2 ibm-hs21-12.testrelm.com id -Z
user2.com's password:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [ PASS ] :: Running 'verify_ssh_auth_success_selinuxuser user2 testpw123 ibm-hs21-12.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [ PASS ] :: Authentication successful for user2
spawn ssh -l user2 dell-pe1950-1.testrelm.com id -Z
user2.com's password:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [ PASS ] :: Running 'verify_ssh_auth_success_selinuxuser user2 testpw123 dell-pe1950-1.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [ PASS ] :: Authentication successful for user2
spawn ssh -l user2 hp-dl140g2-01.testrelm.com id -Z
user2.com's password:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [ PASS ] :: Running 'verify_ssh_auth_success_selinuxuser user2 testpw123 hp-dl140g2-01.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [ PASS ] :: Stoping IPA service on hp-dl140g2-01.testrelm.com
:: [ PASS ] :: Running 'chmod +x /local.sh'
Stopping pki-ca: [ OK ]
Stopping httpd: [ OK ]
Stopping ipa_memcached: [ OK ]
Stopping named: .[ OK ]
Stopping Kerberos 5 Admin Server: [ OK ]
Stopping Kerberos 5 KDC: [ OK ]
Shutting down dirsrv:
PKI-IPA...[ OK ]
TESTRELM-COM...[ OK ]
Stopping CA Service
Stopping HTTP Service
Stopping MEMCACHE Service
Stopping DNS Service
Stopping KPASSWD Service
Stopping KDC Service
Stopping Directory Service
:: [ PASS ] :: Stop IPA service on MASTER
user1:*:258600014:258600014:user1 user1:/home/user1:/bin/sh
:: [ PASS ] :: Running 'getent -s sss passwd user1'
:: [ PASS ] :: Authentication successful for user1
spawn ssh -l user1 ibm-hs21-12.testrelm.com id -Z
user1.com's password:
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [ PASS ] :: Running 'cat /tmp/tmpfile.out'
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [ PASS ] :: Selinuxuser staff_u:.*s0-s0:c0.c1023 as expected
:: [ PASS ] :: Running 'verify_ssh_auth_success_selinuxuser user1 testpw123 ibm-hs21-12.testrelm.com staff_u:.*s0-s0:c0.c1023'
:: [ PASS ] :: Authentication successful for user1
spawn ssh -l user1 dell-pe1950-1.testrelm.com id -Z
user1.com's password:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [ PASS ] :: Running 'verify_ssh_auth_success_selinuxuser user1 testpw123 dell-pe1950-1.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [ PASS ] :: Authentication successful for user1
spawn ssh -l user1 hp-dl140g2-01.testrelm.com id -Z
user1.com's password:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [ PASS ] :: Running 'verify_ssh_auth_success_selinuxuser user1 testpw123 hp-dl140g2-01.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
user2:*:258600015:258600015:user2 user2:/home/user2:/bin/sh
:: [ PASS ] :: Running 'getent -s sss passwd user2'
:: [ PASS ] :: Authentication successful for user2
spawn ssh -l user2 ibm-hs21-12.testrelm.com id -Z
user2.com's password:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [ PASS ] :: Running 'verify_ssh_auth_success_selinuxuser user2 testpw123 ibm-hs21-12.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [ PASS ] :: Authentication successful for user2
spawn ssh -l user2 dell-pe1950-1.testrelm.com id -Z
user2.com's password:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [ PASS ] :: Running 'verify_ssh_auth_success_selinuxuser user2 testpw123 dell-pe1950-1.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [ PASS ] :: Authentication successful for user2
spawn ssh -l user2 hp-dl140g2-01.testrelm.com id -Z
user2.com's password:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [ PASS ] :: Running 'verify_ssh_auth_success_selinuxuser user2 testpw123 hp-dl140g2-01.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [ PASS ] :: Starting IPA service on hp-dl140g2-01.testrelm.com
:: [ PASS ] :: Running 'chmod +x /local.sh'
Starting dirsrv:
PKI-IPA...[ OK ]
TESTRELM-COM...[ OK ]
Starting Kerberos 5 KDC: [ OK ]
Starting Kerberos 5 Admin Server: [ OK ]
Starting named: [ OK ]
Starting ipa_memcached: [ OK ]
Starting httpd: [ OK ]
Starting pki-ca: [ OK ]
Starting Directory Service
Starting KDC Service
Starting KPASSWD Service
Starting DNS Service
Starting MEMCACHE Service
Starting HTTP Service
Starting CA Service
:: [ PASS ] :: Start IPA service on MASTER
:: [ PASS ] :: Running 'rm -rf '
'5165b832-6474-4239-b48a-692660dafd71'
ipa-selinuxusermapsvc-client1-010 result: PASS
metric: 0
Log: /tmp/beakerlib-10425963/journal.txt
Info: Searching AVC errors produced since 1359553052.57 (Wed Jan 30 08:37:32 2013)
Searching logs...
Info: No AVC messages found.
Writing to /mnt/testarea/tmp.sYjE4V
:
AvcLog: /mnt/testarea/tmp.sYjE4V
:: [ PASS ] :: Running 'rhts-sync-set -s DONE_selinuxusermapsvc_client_010 -m ibm-hs21-12.rhts.eng.rdu.redhat.com'
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0508.html |
Description of problem: if two user's selinux context is stored in sssd cache and last user's context is default selinux context, then default selinux context is applied for first user as well if IPA server not reachable. Version-Release number of selected component (if applicable): [root@rhel64client1 ipa-selinuxusermap-func]# rpm -qa|grep sssd sssd-1.9.2-4.el6.x86_64 sssd-client-1.9.2-4.el6.x86_64 [root@rhel64client1 ipa-selinuxusermap-func]# [root@rhel64master beaker]# rpm -qa|grep ipa-server ipa-server-selinux-3.0.0-7.el6.x86_64 ipa-server-3.0.0-7.el6.x86_64 [root@rhel64master beaker]# How reproducible: Always Steps to Reproduce: (1)if two user's selinux context is stored in sssd cache and last user's context is default selinux context, then default selinux context is applied for first user as well if IPA server not reachable. [root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1 rhel64client1.testrelm.com id -Z user1.com's password: staff_u:staff_r:staff_t:s0-s0:c0.c1023 [root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user2 rhel64client1.testrelm.com id -Z user2.com's password: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [root@rhel64client1 ipa-selinuxusermap-func]# [root@rhel64client1 ipa-selinuxusermap-func]# date Mon Nov 5 07:40:39 EST 2012 [root@rhel64client1 ipa-selinuxusermap-func]# Stopping IPA Server, so that sssd cache can be used. [root@rhel64master beaker]# service ipa stop;date Stopping CA Service Stopping pki-ca: [ OK ] Stopping HTTP Service Stopping httpd: [ OK ] Stopping MEMCACHE Service Stopping ipa_memcached: [ OK ] Stopping DNS Service Stopping named: . [ OK ] Stopping KPASSWD Service Stopping Kerberos 5 Admin Server: [ OK ] Stopping KDC Service Stopping Kerberos 5 KDC: [ OK ] Stopping Directory Service Shutting down dirsrv: PKI-IPA... [ OK ] TESTRELM-COM... [ OK ] Mon Nov 5 07:41:31 EST 2012 [root@rhel64master beaker]# [root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1 rhel64client1.testrelm.com id -Z;date user1.com's password: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Mon Nov 5 07:42:15 EST 2012 [root@rhel64client1 ipa-selinuxusermap-func]# Here selinux context should be staff_u:staff_r:staff_t:s0-s0:c0.c1023 (2)SSSD cache works fine in case of single user. [root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1 rhel64client1.testrelm.com id -Z;date user1.com's password: staff_u:staff_r:staff_t:s0-s0:c0.c1023 Mon Nov 5 07:54:50 EST 2012 [root@rhel64client1 ipa-selinuxusermap-func]# [root@rhel64master beaker]# service ipa stop;date Stopping CA Service Stopping pki-ca: [ OK ] Stopping HTTP Service Stopping httpd: [ OK ] Stopping MEMCACHE Service Stopping ipa_memcached: [ OK ] Stopping DNS Service Stopping named: . [ OK ] Stopping KPASSWD Service Stopping Kerberos 5 Admin Server: [ OK ] Stopping KDC Service Stopping Kerberos 5 KDC: [ OK ] Stopping Directory Service Shutting down dirsrv: PKI-IPA... [ OK ] TESTRELM-COM... [ OK ] Mon Nov 5 07:55:37 EST 2012 [root@rhel64master beaker]# [root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1 rhel64client1.testrelm.com id -Z;date user1.com's password: staff_u:staff_r:staff_t:s0-s0:c0.c1023 Mon Nov 5 07:56:02 EST 2012 [root@rhel64client1 ipa-selinuxusermap-func]#