Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1075663

Summary: SSSD should create the SELinux mapping file with format expected by pam_selinux
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED CURRENTRELEASE QA Contact: Kaushik Banerjee <kbanerje>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.0CC: dpal, grajaiya, jgalipea, jhrozek, lslebodn, mkosek, nsoman, pbrezina, preichl, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.11.2-60.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:01:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jakub Hrozek 2014-03-12 14:33:37 UTC 
Description of problem:
pam_selinux expects the format to be the same as getpwnam output. SSSD should honor that, currently sssd uses the original name format.
Comment 1 Jakub Hrozek 2014-03-12 14:37:29 UTC 
The PAM bug that changed the pam_selinux behaviour is #1071010
Comment 2 Namita Soman 2014-03-12 16:38:52 UTC 
Please add steps to verify this
Comment 3 Jakub Hrozek 2014-03-12 17:03:31 UTC 
You need to set up SELinux mapping rules that apply when a trusted user logs in. Here is my test setup:

[root@master ~]# ipa selinuxusermap-find
--------------------------
1 SELinux User Map matched
--------------------------
  Rule name: test_user1_specific_host
  SELinux User: staff_u:s0-s0:c0.c1023
  Enabled: TRUE
  User Groups: adusers
  Hosts: client.example.com
----------------------------
Number of entries returned 1
----------------------------
[root@master ~]# ipa group-show adusers
  Group name: adusers
  Description: ad users
  GID: 69800004
  Member groups: adextgroup
[root@master ~]# ipa group-show adextgroup
  Group name: adextgroup
  Description: ad external group
  Member of groups: adusers
  External member: psuser.com

Then, on the client, log in using different login formats and cases. Make sure to have the latest pam package installed.

With the unpatches packages, only the format SSSD uses (lowercased_username) would set the correct SELinux context. With the patched packages, all formats should yield the correct context. Using the example user above, I've tested:

psuser.com
PSUSER.COM
WIN\\psuser
Comment 4 Scott Poore 2014-03-12 21:52:52 UTC 
Jakub,

How did you log in and how did you test?

I don't think I'm seeing the expected context:

[root@rhel7-1 ipa-trust-functional]# ssh -K -l aduser1@${AD_top_domain} $(hostname) id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[root@rhel7-1 ipa-trust-functional]# kinit admin
Password for admin.TEST: 

[root@rhel7-1 ipa-trust-functional]# ipa selinuxusermap-show selinux_1075663 
  Rule name: selinux_1075663
  SELinux User: staff_u:s0-s0:c0.c1023
  Host category: all
  Enabled: TRUE
  User Groups: gr1075663

[root@rhel7-1 ipa-trust-functional]# id aduser1@${AD_top_domain}
uid=551801125(aduser1.test) gid=551801125(aduser1.test) groups=551801125(aduser1.test),551800513(domain users.test),551802226(adunigroup1.test),551801131(adgroup1.test),551801746(adgroup2.test),995600010(ad_group),995600031(hbacgroup12),995600050(gr1075663),995600034(hbacgroup3)
Comment 5 Jakub Hrozek 2014-03-12 22:11:48 UTC 
(In reply to Scott Poore from comment #4)
> Jakub,
> 
> How did you log in and how did you test?
> 
> I don't think I'm seeing the expected context:
> 

Scott, this is something Alexander was also complaining about. I can't say yet whether this issue would go away with the proposed patch because I've never been able to reproduce the problem.

Would you mind e-mailing me  (or just add a private comment) the login details to your system? I think it would be best if I could poke around.

Thanks for raising the issue!
Comment 6 Jakub Hrozek 2014-03-13 11:05:10 UTC 
After some debugging on Scott's system I think he's hitting this bug, so we've got it reproduced :-) I've prepared a scratch package with the patch that is on review, can you try it out?
https://brewweb.devel.redhat.com/taskinfo?taskID=7197508
Comment 7 Dmitri Pal 2014-03-13 12:58:31 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2282
Comment 8 Scott Poore 2014-03-13 13:20:44 UTC 
tested the scratch build and it fixed my problem:

[root@rhel7-1 yum.local.d]# kinit aduser1.TEST
Password for aduser1.TEST: 

[root@rhel7-1 yum.local.d]# ssh -K -l aduser1.test $(hostname) 'id -Z'
staff_u:staff_r:staff_t:s0-s0:c0.c1023

[root@rhel7-1 yum.local.d]# ssh -K -l aduser1.TEST $(hostname) 'id -Z'
staff_u:staff_r:staff_t:s0-s0:c0.c1023

[root@rhel7-1 yum.local.d]# ssh -K -l 'AD2\aduser1' $(hostname) 'id -Z'
staff_u:staff_r:staff_t:s0-s0:c0.c1023

[root@rhel7-1 yum.local.d]# ssh -K -l 'ad2\aduser1' $(hostname) 'id -Z'
staff_u:staff_r:staff_t:s0-s0:c0.c1023
Comment 9 Jakub Hrozek 2014-03-13 17:40:20 UTC 
Fixed upstream:
    master: a059f853074260f4b6a6ead1dca9f18280cb9cdb
    sssd-1-11: 0a7b7059d7e6dc6566a3aa2201960b61afdf2758
Comment 10 Jakub Hrozek 2014-03-13 17:40:46 UTC 
(In reply to Scott Poore from comment #8)
> tested the scratch build and it fixed my problem:

Thanks for testing! An official build is coming up soon.
Comment 12 Scott Poore 2014-03-13 22:22:18 UTC 
Verified.

Version ::

sssd-1.11.2-60.el7.x86_64

Results ::


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa_trust_func_bug_1075663: SSSD should create the SELinux mapping file with form
:: [   LOG    ] :: at expected by pam_selinux
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'kdestroy -A' (Expected 0, got 0)
Password for admin.TEST: 
:: [   PASS   ] :: Running 'echo Secret123|kinit admin' (Expected 0, got 0)
-----------------------
Added group "gr1075663"
-----------------------
  Group name: gr1075663
  Description: 0
  GID: 995600052
:: [   PASS   ] :: Running 'ipa group-add --desc=0 gr1075663' (Expected 0, got 0)
---------------------------
Added group "gr1075663_ext"
---------------------------
  Group name: gr1075663_ext
  Description: 0
:: [   PASS   ] :: Running 'ipa group-add --desc=0 gr1075663_ext --external' (Expected 0, got 0)
  Group name: gr1075663
  Description: 0
  GID: 995600052
  Member groups: gr1075663_ext
-------------------------
Number of members added 1
-------------------------
:: [   PASS   ] :: Running 'ipa group-add-member gr1075663 --groups=gr1075663_ext' (Expected 0, got 0)
  Group name: gr1075663_ext
  Description: 0
  External member: S-1-5-21-1515602834-2930230041-3336973146-1125
  Member of groups: gr1075663
-------------------------
Number of members added 1
-------------------------
:: [   PASS   ] :: Running 'ipa group-add-member gr1075663_ext --users='' --groups=''             --external='aduser1.test'' (Expected 0, got 0)
----------------------------------------
Added SELinux User Map "selinux_1075663"
----------------------------------------
  Rule name: selinux_1075663
  SELinux User: staff_u:s0-s0:c0.c1023
  Host category: all
  Enabled: TRUE
:: [   PASS   ] :: Running 'ipa selinuxusermap-add --hostcat=all --selinuxuser='staff_u:s0-s0:c0.c1023'             selinux_1075663' (Expected 0, got 0)
  Rule name: selinux_1075663
  SELinux User: staff_u:s0-s0:c0.c1023
  Host category: all
  Enabled: TRUE
  User Groups: gr1075663
-------------------------
Number of members added 1
-------------------------
:: [   PASS   ] :: Running 'ipa selinuxusermap-add-user selinux_1075663 --groups=gr1075663' (Expected 0, got 0)
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
:: [   PASS   ] :: Running 'service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start' (Expected 0, got 0)
:: [   PASS   ] :: Running 'kdestroy -A' (Expected 0, got 0)
Password for aduser1.TEST: 
:: [   PASS   ] :: Running 'echo Secret123|kinit aduser1.TEST' (Expected 0, got 0)
:: [   PASS   ] :: Running 'ssh -K -l aduser1.test rhel7-1.ipa1.example.test 'id -Z' > ipa_trust_func_bug_1075663.8nEK89 2>&1' (Expected 0, got 0)
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat ipa_trust_func_bug_1075663.8nEK89' (Expected 0, got 0)
:: [   PASS   ] :: File 'ipa_trust_func_bug_1075663.8nEK89' should contain 'staff_u.*:s0-s0:c0.c1023' 
:: [   PASS   ] :: Running 'ssh -K -l aduser1.TEST rhel7-1.ipa1.example.test 'id -Z' > ipa_trust_func_bug_1075663.8nEK89 2>&1' (Expected 0, got 0)
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat ipa_trust_func_bug_1075663.8nEK89' (Expected 0, got 0)
:: [   PASS   ] :: File 'ipa_trust_func_bug_1075663.8nEK89' should contain 'staff_u.*:s0-s0:c0.c1023' 
:: [   PASS   ] :: Running 'ssh -K -l 'AD2\aduser1' rhel7-1.ipa1.example.test 'id -Z' > ipa_trust_func_bug_1075663.8nEK89 2>&1' (Expected 0, got 0)
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat ipa_trust_func_bug_1075663.8nEK89' (Expected 0, got 0)
:: [   PASS   ] :: File 'ipa_trust_func_bug_1075663.8nEK89' should contain 'staff_u.*:s0-s0:c0.c1023' 
:: [   PASS   ] :: Running 'ssh -K -l 'ad2\aduser1' rhel7-1.ipa1.example.test 'id -Z' > ipa_trust_func_bug_1075663.8nEK89 2>&1' (Expected 0, got 0)
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat ipa_trust_func_bug_1075663.8nEK89' (Expected 0, got 0)
:: [   PASS   ] :: File 'ipa_trust_func_bug_1075663.8nEK89' should contain 'staff_u.*:s0-s0:c0.c1023' 
:: [   PASS   ] :: BZ 1075663 not found 
:: [   PASS   ] :: Running 'kdestroy -A' (Expected 0, got 0)
Password for admin.TEST: 
:: [   PASS   ] :: Running 'echo Secret123|kinit admin' (Expected 0, got 0)
-----------------------------
Deleted group "gr1075663_ext"
-----------------------------
:: [   PASS   ] :: Running 'ipa group-del gr1075663_ext' (Expected 0, got 0)
-------------------------
Deleted group "gr1075663"
-------------------------
:: [   PASS   ] :: Running 'ipa group-del gr1075663' (Expected 0, got 0)
------------------------------------------
Deleted SELinux User Map "selinux_1075663"
------------------------------------------
:: [   PASS   ] :: Running 'ipa selinuxusermap-del selinux_1075663' (Expected 0, got 0)
Comment 13 Ludek Smid 2014-06-13 11:01:45 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.