Bug 887193
| Summary: | SSSD allows SELinux context for user to be set, however SELinux tools are not updated to reflect this. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Taunus <codezilla> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED NOTABUG | QA Contact: | Namita Soman <nsoman> |
| Severity: | urgent | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.4 | CC: | dominick.grift, dpal, dwalsh, erinn.looneytriggs, fjayalat, jbelka, jhrozek, ksiddiqu, mgrepl, mkosek, rcritten, tcarlin |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Known Issue | |
| Doc Text: |
IdM server in Red Hat Enterprise Linux 6.3 introduced a technical preview of SELinux user mapping feature, which enabled a mapping of SELinux users to users managed by the IdM based on custom rules. However, the default configured SELinux user (guest_u:s0) used when no custom rule matches is too constraining. An IdM user authenticating to Red Hat Enterprise Linux 6.4 can be assigned the too constraining SELinux user in which case a login through graphical session would always fail. To work around this problem, change a too constraining default SELinux user in the IdM server from guest_u:s0 to a more relaxed value unconfined_u:s0-s0:c0.c1023:
kinit admin
ipa config-mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
An unconfined SELinux user will be now assigned to the IdM user by default, which will allow the user to successfully authenticate through graphical interface.
|
Story Points: | --- |
| Clone Of: | 876363 | Environment: | |
| Last Closed: | 2013-03-01 15:01:32 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Taunus
2012-12-14 09:51:44 UTC
Hi, the same problem seems to exist with rhel 6.3 ipa server, rhel 6.4beta sssd client and selinux. User cannot login, gdm says "unable to open session" when trying. oddjob created homedir. This is what I see in /var/log/secure: Dec 14 12:03:10 hostname pam: gdm-password: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=username Dec 14 12:03:10 hostname pam: gdm-password: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=username Dec 14 12:03:10 hostname pam: gdm-password: pam_selinux(gdm-password:session): Error! Unable to set username key creation context guest_u:guest_r:oddjob_mkhomedir_t:s0. sssd-1.9.2-24.el6.x86_64 (In reply to comment #2) > Hi, > > the same problem seems to exist with rhel 6.3 ipa server, rhel 6.4beta sssd > client and selinux. User cannot login, gdm says "unable to open session" > when trying. oddjob created homedir. > > This is what I see in /var/log/secure: > > Dec 14 12:03:10 hostname pam: gdm-password: pam_unix(gdm-password:auth): > authentication failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= > user=username > Dec 14 12:03:10 hostname pam: gdm-password: pam_sss(gdm-password:auth): > authentication success; logname= uid=0 euid=0 tty=:1 ruser= rhost= > user=username > Dec 14 12:03:10 hostname pam: gdm-password: > pam_selinux(gdm-password:session): Error! Unable to set username key > creation context guest_u:guest_r:oddjob_mkhomedir_t:s0. > > sssd-1.9.2-24.el6.x86_64 Well, this should be fixed in IPA to change guest_u to another SELinux user. AFAIK it has been fixed in Fedora. The IPA server should default to unconfined_u in 6.4, IIRC. Not completely sure about earlier releases. What default SELinux user does "ipa config-show" print? IPA server defaults to unconfined_u:s0-s0:c0.c1023 in RHEL 6.4, this is OK. However, it unfortunately defaults to guest_u:s0 in RHEL 6.3 which makes RHEL 6.4 clients use that value. A quickfix for this issue is to modify the config default with: ipa config-mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023 But we will need to fix IPA in RHEL-6.3 and change the default to "unconfined_u:s0-s0:c0.c1023", either by z-stream or at least a release note. Adding also Rob to the CC list. Of course the trick part is how to differentiate between a setup that simply had guest_u set up as our default and setup that needs guest_u as default. Although I really doubt there is such setup since the client side never worked in 6.3. (In reply to comment #6) > Of course the trick part is how to differentiate between a setup that simply > had guest_u set up as our default and setup that needs guest_u as default. > Although I really doubt there is such setup since the client side never > worked in 6.3. I just verified that client can log in via console or SSH. However, gdm login does not work and produce the described error. I will reassign to IPA, we will produce a Release Note. This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. Workaround is at https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.4_Technical_Notes/authentication_issues.html *** Bug 1016638 has been marked as a duplicate of this bug. *** *** Bug 1027302 has been marked as a duplicate of this bug. *** |