Bug 987456

Summary: RHEL6 sssd upgrade restorecon workaround for /var/lib/sss/mc context
Product: Red Hat Enterprise Linux 6 Reporter: Scott Poore <spoore>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.4CC: ccoursey, dpal, ekeck, grajaiya, jgalipea, lslebodn, mkosek, pbrezina, spoore
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.9.2-95.el6 Doc Type: Bug Fix
Doc Text:
Do not document.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-21 22:21:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1022708    
Attachments:
Description Flags
A specfile patch none

Description Scott Poore 2013-07-23 12:20:51 UTC 
Description of problem:

This is a request for a workaround to bug #924044.  As of RHEL6.4, rpm doesn't reload it's labels db in a single transaction.  So the new context added by selinux-policy-targeted for sssd isn't used for the files in /var/lib/sss/mc when sssd (or ipa, or RHEL) is upgraded and pulls in new selinux-policy in single transaction.

We need sssd to run restorecon in %post to fix this until such time as RPM can properly handle it. 

/var/lib/sss/mc/passwd has incorrect context after upgrade from rhel6.3 to 6.4.  Just to note, this is on a 6.2 to 6.3 to 6.4 upgrade tests.

[root@rhel6-1 ipa-upgrade]# ls -lZ /var/lib/sss/mc/passwd 
-rw-r--r--. root root unconfined_u:object_r:sssd_var_lib_t:s0 /var/lib/sss/mc/passwd

[root@rhel6-1 ipa-upgrade]# matchpathcon /var/lib/sss/mc/passwd
/var/lib/sss/mc/passwd  system_u:object_r:sssd_public_t:s0

Version-Release number of selected component (if applicable):

selinux-policy-3.7.19-195.el6.noarch
selinux-policy-targeted-3.7.19-195.el6.noarch
sssd-1.9.2-82.el6.x86_64
sssd-client-1.9.2-82.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1.  Install IPA server on RHEL6.2
2.  Upgrade to RHEL6.3
3.  Upgrade to RHEL6.4

Actual results:
wrong context and AVC denials

Expected results:
correct context should be set on upgrade

Additional info:

With this context incorrectly set, I am seeing AVC denials from sshd:

time->Wed Mar 20 23:07:51 2013

type=SYSCALL msg=audit(1363835271.676:302): arch=c000003e syscall=2 success=no exit=-13 a0=7f5ee61472a0 a1=80000 a2=0 a3=17 items=0 ppid=1033 pid=26124 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1363835271.676:302): avc:  denied  { read } for  pid=26124 comm="sshd" name="passwd" dev=dm-0 ino=4746 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:sssd_var_lib_t:s0 tclass=file
Comment 2 Jakub Hrozek 2013-07-25 08:49:31 UTC 
Created attachment 778127 [details]
A specfile patch

A candidate patch that calls restorecon as a workaround to set the right SELinux context on upgrades.
Comment 4 Jakub Hrozek 2013-08-19 07:33:23 UTC 
Marian Ganisin found that on clean install the patch causes a warning. Moving back to ASSIGNED.
Comment 5 Jakub Hrozek 2013-08-19 08:58:55 UTC 
Actually scratch that. We're including a separate bugzilla for the warning.
Comment 6 Jakub Hrozek 2013-10-03 17:47:03 UTC 
Hi Scott,

would you mind helping Kaushik with reproducing this bugzilla or providing easier steps for automation?

Thank you!
Comment 7 Scott Poore 2013-10-03 19:20:04 UTC 
Probably easier to automate testing here in IPA upgrade test.  This is basically what I've had to do to see/reproduce the issue:

On RHEL6.3 host:
- yum install sssd
- point to RHEL6.4 yum repos
- yum update sssd
- stat --format %C /var/lib/sss/mc/passwd
[EXPECT] sssd_public_t [NOT] sssd_var_lib_t

Here you have to have both selinux-policy and sssd updated from the same yum command to see the issue.

So, can we go with testing just in the IPA upgrades?
Comment 8 Jakub Hrozek 2013-10-04 07:13:57 UTC 
Testing this issue during IPA upgrade testing sounds fine to me.
Comment 9 Scott Poore 2013-10-17 13:26:22 UTC 
Verified.

Version ::
sssd.x86_64 0:1.9.2-127.el6        

Automated Test Results ::

...
Installed:
  krb5-pkinit-openssl.x86_64 0:1.10.3-10.el6_4.6                                

Dependency Installed:
  autofs.x86_64 1:5.0.5-86.el6           hesiod.x86_64 0:3.1.0-19.el6           
  libsss_autofs.x86_64 0:1.9.2-127.el6   libsss_idmap.x86_64 0:1.9.2-127.el6    
  perl-NetAddr-IP.x86_64 0:4.027-7.el6   perl-Socket6.x86_64 0:0.23-4.el6       
  pytalloc.x86_64 0:2.0.7-2.el6          samba4-libs.x86_64 0:4.0.0-58.el6.rc4  

Updated:
  bind-dyndb-ldap.x86_64 0:2.3-4.el6  ipa-admintools.x86_64 0:3.0.0-36.el6     
  ipa-client.x86_64 0:3.0.0-36.el6    ipa-python.x86_64 0:3.0.0-36.el6         
  ipa-server.x86_64 0:3.0.0-36.el6    ipa-server-selinux.x86_64 0:3.0.0-36.el6 
  sssd.x86_64 0:1.9.2-127.el6        

Dependency Updated:
  389-ds-base.x86_64 0:1.2.11.15-25.el6                                         
  389-ds-base-libs.x86_64 0:1.2.11.15-25.el6                                    
  certmonger.x86_64 0:0.61-3.el6                                                
  httpd.x86_64 0:2.2.15-29.el6_4                                                
  httpd-tools.x86_64 0:2.2.15-29.el6_4                                          
  krb5-devel.x86_64 0:1.10.3-10.el6_4.6                                         
  krb5-libs.x86_64 0:1.10.3-10.el6_4.6                                          
  krb5-server.x86_64 0:1.10.3-10.el6_4.6                                        
  krb5-workstation.x86_64 0:1.10.3-10.el6_4.6                                   
  libipa_hbac.x86_64 0:1.9.2-127.el6                                            
  libipa_hbac-python.x86_64 0:1.9.2-127.el6                                     
  libldb.x86_64 0:1.1.13-3.el6                                                  
  libtalloc.x86_64 0:2.0.7-2.el6                                                
  libtdb.x86_64 0:1.2.10-1.el6                                                  
  libtevent.x86_64 0:0.9.18-3.el6                                               
  mod_nss.x86_64 0:1.0.8-18.el6                                                 
  nspr.x86_64 0:4.10.0-1.el6                                                    
  nspr-devel.x86_64 0:4.10.0-1.el6                                              
  nss.x86_64 0:3.15.1-9.el6                                                     
  nss-devel.x86_64 0:3.15.1-9.el6                                               
  nss-softokn.x86_64 0:3.14.3-9.el6                                             
  nss-softokn-devel.x86_64 0:3.14.3-9.el6                                       
  nss-softokn-freebl.x86_64 0:3.14.3-9.el6                                      
  nss-softokn-freebl-devel.x86_64 0:3.14.3-9.el6                                
  nss-sysinit.x86_64 0:3.15.1-9.el6                                             
  nss-tools.x86_64 0:3.15.1-9.el6                                               
  nss-util.x86_64 0:3.15.1-2.el6                                                
  nss-util-devel.x86_64 0:3.15.1-2.el6                                          
  pki-ca.noarch 0:9.0.3-32.el6                                                  
  pki-common.noarch 0:9.0.3-32.el6                                              
  pki-java-tools.noarch 0:9.0.3-32.el6                                          
  pki-native-tools.x86_64 0:9.0.3-32.el6                                        
  pki-selinux.noarch 0:9.0.3-32.el6                                             
  pki-setup.noarch 0:9.0.3-32.el6                                               
  pki-silent.noarch 0:9.0.3-32.el6                                              
  pki-symkey.x86_64 0:9.0.3-32.el6                                              
  pki-util.noarch 0:9.0.3-32.el6                                                
  selinux-policy.noarch 0:3.7.19-217.el6                                        
  selinux-policy-targeted.noarch 0:3.7.19-217.el6                               
  sssd-client.x86_64 0:1.9.2-127.el6                                            

Replaced:
  krb5-pkinit-openssl.x86_64 0:1.9-33.el6                                       

Complete!
:: [   PASS   ] :: Running 'yum -y update 'ipa*' sssd' (Expected 0, got 0)
...

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa_upgrade_bz987456:  [BZ987456] RHEL6 sssd upgrade restorecon workaround for /var/lib/sss/mc context
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'stat --format %C /var/lib/sss/mc/passwd > /tmp/tmpout.ipa_upgrade_bz987456 2>&1' (Expected 0, got 0)
unconfined_u:object_r:sssd_public_t:s0
:: [   PASS   ] :: Running 'cat /tmp/tmpout.ipa_upgrade_bz987456' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmpout.ipa_upgrade_bz987456' should contain 'sssd_public_t' 
:: [   PASS   ] :: BZ 987456 not found
Comment 16 errata-xmlrpc 2013-11-21 22:21:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1680.html