Bug 1082191
| Summary: | RHEL7 IPA selinuxusermap hbac rule not always matching | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Scott Poore <spoore> | ||||
| Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Kaushik Banerjee <kbanerje> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | urgent | ||||||
| Version: | 7.0 | CC: | dpal, grajaiya, jgalipea, jhrozek, lslebodn, mkosek, nsoman, pbrezina, preichl, rcritten, spoore | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | sssd-1.11.2-65.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-06-13 11:23:20 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Scott Poore
2014-03-29 00:25:33 UTC
Created attachment 880036 [details]
SSSD log from client
This is the sssd log from the client which first saw correct selinuxusermap and then saw incorrect.
Given that SELinux assignment worked in one request but not in the another, I think this issue will be rather on the cliend side, not on the server side. Switching the component so that it can be properly investigated.
I check the log and I did not find any obvious issue, I just saw there were 2 logs in the first SELinux processing that were not in the second:
(Fri Mar 28 20:22:35 2014) [sssd[be[testrelm.test]]] [ipa_selinux_process_seealso_maps] (0x0400): HBAC rule [ipaUniqueID=c021a5ea-b6c4-11e3-b738-021016980186,cn=hbac,dc=testrelm,dc=test] matched, copying itsattributes to SELinux user map [ipaUniqueID=c021a5ea-b6c4-11e3-b738-021016980186,cn=hbac,dc=testrelm,dc=test]
(Fri Mar 28 20:22:35 2014) [sssd[be[testrelm.test]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success]
(Fri Mar 28 20:22:35 2014) [sssd[be[testrelm.test]]] [be_pam_handler_callback] (0x0100): Sending result [0][testrelm.test]
(Fri Mar 28 20:22:35 2014) [sssd[be[testrelm.test]]] [be_pam_handler_callback] (0x0100): Sent result [0][testrelm.test]
>>> (Fri Mar 28 20:22:35 2014) [sssd[be[testrelm.test]]] [sdap_id_op_destroy] (0x4000): releasing operation connection
>>> (Fri Mar 28 20:22:35 2014) [sssd[be[testrelm.test]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8d3c595af0], connected[1], ops[(nil)], ldap[0x7f8d3c595f90]
(Fri Mar 28 20:22:35 2014) [sssd[be[testrelm.test]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Fri Mar 28 20:22:36 2014) [sssd[be[testrelm.test]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f8d3c58d3d0
(In reply to Martin Kosek from comment #3) > >>> (Fri Mar 28 20:22:35 2014) [sssd[be[testrelm.test]]] [sdap_id_op_destroy] (0x4000): releasing operation connection > >>> (Fri Mar 28 20:22:35 2014) [sssd[be[testrelm.test]]] [sdap_process_result] (0x2000): Trace: sh[0x7f8d3c595af0], connected[1], ops[(nil)], ldap[0x7f8d3c595f90] I'd assume this is because the connection was reused for the second attempt, while sssd was establishing it for the first attempt. Anyway, just guess and this code is low level LDAP connection handling, not directly SELinux code. (In reply to Scott Poore from comment #2) > Created attachment 880036 [details] > SSSD log from client > > This is the sssd log from the client which first saw correct selinuxusermap > and then saw incorrect. I see a match (not sure if *the* match given that logs only contain uniqueIDs) in both authentication attempts. Scott, does your test system have the latest pam package (1.1.8-8) as well? If so, can I get access to the test system and check it out? Yes, from the logs it looks like it had pam-1.1.8-8.el7.x86_64. Unfortunately it's been returned already so I'll have to get a new one. I'll let you know when that is ready. Thanks. Upstream ticket: https://fedorahosted.org/sssd/ticket/2300 Fixed upstream:
master: 355b8a655cfcc4e783077d12f76b55da1d23fb87
sssd-1-11: ac93a2d27415abd730aa1063b1689def8be9dbe9
Verified. Version :: sssd-1.11.2-65.el7.x86_64 Results :: With old version I added the following to /etc/sysconfig/sssd: TALLOC_FREE_FILL=64 And I consistently see the error with the wrong SELinux User Mapping: [root@intel-canoepass-12 ~]# vi /etc/sysconfig/sssd [root@intel-canoepass-12 ~]# service sssd restart Redirecting to /bin/systemctl restart sssd.service [root@intel-canoepass-12 ~]# ssh -l testuser1 $(hostname) id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [root@intel-canoepass-12 ~]# ssh -l testuser1 $(hostname) id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [root@intel-canoepass-12 ~]# ssh -l testuser1 $(hostname) id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [root@intel-canoepass-12 ~]# ssh -l testuser1 $(hostname) id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [root@intel-canoepass-12 ~]# ssh -l testuser1 $(hostname) id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Now, with fixed version: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa_bugcheck_bz1082191: RHEL7 IPA selinuxusermap hbac rule not always matching :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Password for admin: :: [ PASS ] :: Running 'echo -e 'Secret123'|kinit admin' (Expected 0, got 0) --------------------------- Added user "bz1082191_user" --------------------------- User login: bz1082191_user First name: f Last name: l Full name: f l Display name: f l Initials: fl Home directory: /home/bz1082191_user GECOS: f l Login shell: /bin/sh Kerberos principal: bz1082191_user Email address: bz1082191_user UID: 773000010 GID: 773000010 Password: True Member of groups: ipausers Kerberos keys available: True :: [ PASS ] :: Running 'echo -e 'password\npassword'|ipa user-add bz1082191_user --first=f --last=l --password' (Expected 0, got 0) Password for bz1082191_user: Password expired. You must change it now. Enter new password: Enter it again: :: [ PASS ] :: Running 'echo -e 'password\nSecret123\nSecret123'|kinit bz1082191_user' (Expected 0, got 0) cp: overwrite ‘/etc/sysconfig/sssd.ipa_bugcheck_bz1082191’? y :: [ PASS ] :: Running 'cp /etc/sysconfig/sssd /etc/sysconfig/sssd.ipa_bugcheck_bz1082191' (Expected 0, got 0) :: [ PASS ] :: Running 'echo TALLOC_FREE_FILL=64 >> /etc/sysconfig/sssd' (Expected 0, got 0) Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service :: [ PASS ] :: Running 'service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start' (Expected 0, got 0) Password for bz1082191_user: :: [ PASS ] :: Running 'echo -e 'Secret123'|kinit bz1082191_user' (Expected 0, got 0) unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 :: [ PASS ] :: Running 'ssh -l bz1082191_user intel-canoepass-12.testrelm.test id -Z 2>&1|tee /tmp/tmpout.ipa_bugcheck_bz1082191 2>&1' (Expected 0, got 0) :: [ PASS ] :: File '/tmp/tmpout.ipa_bugcheck_bz1082191' should contain 'unconfined_u' Password for admin: :: [ PASS ] :: Running 'echo -e 'Secret123'|kinit admin' (Expected 0, got 0) -------------------------------- Added HBAC rule "bz1082191_hbac" -------------------------------- Rule name: bz1082191_hbac Enabled: TRUE :: [ PASS ] :: Running 'ipa hbacrule-add bz1082191_hbac' (Expected 0, got 0) Rule name: bz1082191_hbac Enabled: TRUE Users: bz1082191_user ------------------------- Number of members added 1 ------------------------- :: [ PASS ] :: Running 'ipa hbacrule-add-user bz1082191_hbac --users=bz1082191_user' (Expected 0, got 0) Rule name: bz1082191_hbac Enabled: TRUE Users: bz1082191_user Hosts: intel-canoepass-12.testrelm.test ------------------------- Number of members added 1 ------------------------- :: [ PASS ] :: Running 'ipa hbacrule-add-host bz1082191_hbac --hosts=intel-canoepass-12.testrelm.test' (Expected 0, got 0) Rule name: bz1082191_hbac Enabled: TRUE Users: bz1082191_user Hosts: intel-canoepass-12.testrelm.test Services: sshd ------------------------- Number of members added 1 ------------------------- :: [ PASS ] :: Running 'ipa hbacrule-add-service bz1082191_hbac --hbacsvcs=sshd' (Expected 0, got 0) ------------------------------------------ Added SELinux User Map "bz1082191_selinux" ------------------------------------------ Rule name: bz1082191_selinux SELinux User: staff_u:s0-s0:c0.c1023 HBAC Rule: bz1082191_hbac Enabled: TRUE :: [ PASS ] :: Running 'ipa selinuxusermap-add bz1082191_selinux --selinuxuser='staff_u:s0-s0:c0.c1023' --hbacrule=bz1082191_hbac' (Expected 0, got 0) Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service :: [ PASS ] :: Running 'service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start' (Expected 0, got 0) Password for bz1082191_user: :: [ PASS ] :: Running 'echo -e 'Secret123'|kinit bz1082191_user' (Expected 0, got 0) staff_u:staff_r:staff_t:s0-s0:c0.c1023 :: [ PASS ] :: Running 'ssh -l bz1082191_user intel-canoepass-12.testrelm.test id -Z 2>&1|tee /tmp/tmpout.ipa_bugcheck_bz1082191 2>&1' (Expected 0, got 0) :: [ PASS ] :: File '/tmp/tmpout.ipa_bugcheck_bz1082191' should contain 'staff_u' :: [ PASS ] :: BZ 1082191 not found This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |