Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1073635

Summary: IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED CURRENTRELEASE QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: dpal, grajaiya, jgalipea, jhrozek, lslebodn, mkosek, nsoman, pbrezina, preichl, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.11.2-58.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:58:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1073810    

Description Jakub Hrozek 2014-03-06 20:34:15 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2270

When a trusted user logs in, the IPA sysdb code looks for the host object in the trusted sysdb subdir. Hosts are always stored in the IPA sysdb subdir. This may cause rules that reference the host itself to not match for a trusted user.
Comment 1 Jakub Hrozek 2014-03-11 18:44:42 UTC 
Fixed upstream:
    master: 36f606d6743e77721bedeed0907f1be7a19fa4f4
    sssd-1-11: 809e53108089bf892cd3c8da2ff4e475f2fd6b54
Comment 3 Scott Poore 2014-03-14 21:48:56 UTC 
Jakub,

How can I verify this bug?  

Is there a way to exercise a lookup where the rule referencing the host would fail before the fix is applied?

Or a way to see in the log the lookup go to trust instead of IPA location for the host?


Would I see something like:

IPA sysdb subdir: cn=accounts,dc=ipa1,dc=example,dc=test

Trust sysdb subdir:  cn=trusts,dc=ipa1,dc=example,dc=test

So, to see the problem, we'd see lookups to cn=trusts on login instead of cn=accounts?

Thanks,
Scott
Comment 4 Jakub Hrozek 2014-03-16 20:54:01 UTC 
(In reply to Scott Poore from comment #3)
> Jakub,
> 
> How can I verify this bug?  
> 
> Is there a way to exercise a lookup where the rule referencing the host
> would fail before the fix is applied?
> 
> Or a way to see in the log the lookup go to trust instead of IPA location
> for the host?
> 
> 
> Would I see something like:
> 
> IPA sysdb subdir: cn=accounts,dc=ipa1,dc=example,dc=test
> 
> Trust sysdb subdir:  cn=trusts,dc=ipa1,dc=example,dc=test
> 
> So, to see the problem, we'd see lookups to cn=trusts on login instead of
> cn=accounts?
> 
> Thanks,
> Scott

Honestly I was mostly using the ldbsearch tool to verify the fix, because depending on the order of preceding operations, the cache might already contain the right data.

I would recommend a test that uses a SELinux mapping rule on a server side that links to an IPA host and an AD user (with an external group). The cache should be removed completely before the test.

Without the fix, the rule wouldn't apply because the host would never match the search as the search would be based in IPA's subdirectory of the cache. With the patched packages, the SSSD should be able to evaluate the rules just fine.

Please let me know if the above doesn't work.
Comment 5 Scott Poore 2014-03-17 14:19:19 UTC 
Verified.

Version ::

sssd-1.11.2-60.el7.x86_64

Results ::


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa_trust_func_bug_1073635: IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 09:18:30 ] ::  First make sure selinuxusermap is to unconfined...
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
:: [   PASS   ] :: Running 'service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start' (Expected 0, got 0)
:: [   PASS   ] :: Running 'kdestroy -A' (Expected 0, got 0)
Password for aduser1.TEST: 
:: [   PASS   ] :: Running 'echo Secret123|kinit aduser1.TEST' (Expected 0, got 0)
:: [   PASS   ] :: Running 'ssh -K -l aduser1.test master.ipa1.example.test 'id -Z' > ipa_trust_func_bug_1073635.cA8am3 2>&1' (Expected 0, got 0)
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat ipa_trust_func_bug_1073635.cA8am3' (Expected 0, got 0)
:: [   PASS   ] :: File 'ipa_trust_func_bug_1073635.cA8am3' should contain 'unconfined_u.*:s0-s0:c0.c1023' 
:: [ 09:18:32 ] ::  Now Setup groups and selinuxusermap rule
:: [   PASS   ] :: Running 'kdestroy -A' (Expected 0, got 0)
Password for admin.TEST: 
:: [   PASS   ] :: Running 'echo Secret123|kinit admin' (Expected 0, got 0)
-----------------------
Added group "gr1073635"
-----------------------
  Group name: gr1073635
  Description: 0
  GID: 1961400011
:: [   PASS   ] :: Running 'ipa group-add --desc=0 gr1073635' (Expected 0, got 0)
---------------------------
Added group "gr1073635_ext"
---------------------------
  Group name: gr1073635_ext
  Description: 0
:: [   PASS   ] :: Running 'ipa group-add --desc=0 gr1073635_ext --external' (Expected 0, got 0)
  Group name: gr1073635
  Description: 0
  GID: 1961400011
  Member groups: gr1073635_ext
-------------------------
Number of members added 1
-------------------------
:: [   PASS   ] :: Running 'ipa group-add-member gr1073635 --groups=gr1073635_ext' (Expected 0, got 0)
  Group name: gr1073635_ext
  Description: 0
  External member: S-1-5-21-1515602834-2930230041-3336973146-1125
  Member of groups: gr1073635
-------------------------
Number of members added 1
-------------------------
:: [   PASS   ] :: Running 'ipa group-add-member gr1073635_ext --users='' --groups=''             --external='aduser1.test'' (Expected 0, got 0)
----------------------------------------
Added SELinux User Map "selinux_1073635"
----------------------------------------
  Rule name: selinux_1073635
  SELinux User: staff_u:s0-s0:c0.c1023
  Enabled: TRUE
:: [   PASS   ] :: Running 'ipa selinuxusermap-add --selinuxuser='staff_u:s0-s0:c0.c1023' selinux_1073635' (Expected 0, got 0)
  Rule name: selinux_1073635
  SELinux User: staff_u:s0-s0:c0.c1023
  Enabled: TRUE
  User Groups: gr1073635
-------------------------
Number of members added 1
-------------------------
:: [   PASS   ] :: Running 'ipa selinuxusermap-add-user selinux_1073635 --groups=gr1073635' (Expected 0, got 0)
  Rule name: selinux_1073635
  SELinux User: staff_u:s0-s0:c0.c1023
  Enabled: TRUE
  User Groups: gr1073635
  Hosts: master.ipa1.example.test
-------------------------
Number of members added 1
-------------------------
:: [   PASS   ] :: Running 'ipa selinuxusermap-add-host selinux_1073635 --hosts=master.ipa1.example.test' (Expected 0, got 0)
:: [ 09:18:38 ] ::  Now test selinuxusermap rule
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
:: [   PASS   ] :: Running 'service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start' (Expected 0, got 0)
:: [   PASS   ] :: Running 'kdestroy -A' (Expected 0, got 0)
Password for aduser1.TEST: 
:: [   PASS   ] :: Running 'echo Secret123|kinit aduser1.TEST' (Expected 0, got 0)
:: [   PASS   ] :: Running 'ssh -K -l aduser1.test master.ipa1.example.test 'id -Z' > ipa_trust_func_bug_1073635.cA8am3 2>&1' (Expected 0, got 0)
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat ipa_trust_func_bug_1073635.cA8am3' (Expected 0, got 0)
:: [   PASS   ] :: File 'ipa_trust_func_bug_1073635.cA8am3' should contain 'staff_u.*:s0-s0:c0.c1023' 
:: [ 09:18:40 ] ::  Now cleanup groups and rules
:: [   PASS   ] :: Running 'kdestroy -A' (Expected 0, got 0)
Password for admin.TEST: 
:: [   PASS   ] :: Running 'echo Secret123|kinit admin' (Expected 0, got 0)
-------------------------
Deleted group "gr1073635"
-------------------------
:: [   PASS   ] :: Running 'ipa group-del gr1073635' (Expected 0, got 0)
-----------------------------
Deleted group "gr1073635_ext"
-----------------------------
:: [   PASS   ] :: Running 'ipa group-del gr1073635_ext' (Expected 0, got 0)
------------------------------------------
Deleted SELinux User Map "selinux_1073635"
------------------------------------------
:: [   PASS   ] :: Running 'ipa selinuxusermap-del selinux_1073635' (Expected 0, got 0)
Comment 6 Ludek Smid 2014-06-13 11:58:30 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.