Bug 1169739 - selinuxusermap rule does not apply to trusted AD users
Summary: selinuxusermap rule does not apply to trusted AD users
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.1
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Slebodnik
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 1168850
TreeView+ depends on / blocked
 
Reported: 2014-12-02 10:37 UTC by Steeve Goveas
Modified: 2020-05-02 17:52 UTC (History)
10 users (show)

Fixed In Version: sssd-1.12.2-32.el7
Doc Type: Known Issue
Doc Text:
Due to an error in processing SELinux labels of users coming from IPA-AD trusts, users coming via AD trusts to hosts handled by Identity Management (IdM) are assigned the default SELinux context. For this reason, it is recommended to set the restrictive SELinux context as default.
Clone Of:
Environment:
Last Closed: 2015-03-05 10:34:45 UTC
Target Upstream Version:


Attachments (Terms of Use)
sssd_ipa.domain.log files for bz1075663 test (435.38 KB, text/plain)
2014-12-02 13:20 UTC, Steeve Goveas
no flags Details
sssd_ipa.domain.log files for bz1073635 test (712.27 KB, text/plain)
2014-12-02 13:22 UTC, Steeve Goveas
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3554 0 None None None 2020-05-02 17:52:30 UTC
Red Hat Product Errata RHBA-2015:0441 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2015-03-05 15:05:27 UTC

Description Steeve Goveas 2014-12-02 10:37:26 UTC
Description of problem:
This is a regression for bz1075663 and bz1073635

Version-Release number of selected component (if applicable):
sssd-1.12.2-28.el7.x86_64
ipa-server-4.1.0-10.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install IPA and add Trust with AD

* https://bugzilla.redhat.com/show_bug.cgi?id=1075663

[root@ibm-x3620m3-01 ~]# ipa group-add-member gr1075663 --groups=gr1075663_ext
  Group name: gr1075663
  Description: 0
  GID: 1119800014
  Member groups: gr1075663_ext
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3620m3-01 ~]# ipa group-add-member gr1075663_ext --users='' --groups='' --external="aduser1@${AD_top_domain}"
  Group name: gr1075663_ext
  Description: 0
  External member: S-1-5-21-1910160501-511572375-3625658879-1313
  Member of groups: gr1075663
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3620m3-01 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

[root@ibm-x3620m3-01 ~]# id aduser1@${AD_top_domain}
uid=1148401313(aduser1@adtest.qe) gid=1148401313(aduser1@adtest.qe) groups=1148401313(aduser1@adtest.qe),1148402424(adunigroup1@adtest.qe),1148401449(adgroup1@adtest.qe),1148402425(adgroup2@adtest.qe),1148400513(domain users@adtest.qe),1119800014(gr1075663),1119800008(adgrp)

[root@ibm-x3620m3-01 ~]# ipa selinuxusermap-add-user selinux_1075663 --groups=gr1075663
  Rule name: selinux_1075663
  SELinux User: staff_u:s0-s0:c0.c1023
  Host category: all
  Enabled: TRUE
  User Groups: gr1075663
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3620m3-01 ~]# cat /home/${AD_top_domain}/aduser1/.k5login
aduser1@adtest.qe
aduser1@ADTEST.QE
ADTEST\aduser1
adtest\aduser1

[root@ibm-x3620m3-01 ~]# kdestroy -A

[root@ibm-x3620m3-01 ~]# echo ${AD_top_pswd}|kinit aduser1@${AD_TOP_REALM}
Password for aduser1@ADTEST.QE:

[root@ibm-x3620m3-01 ~]# ssh -K -l aduser1@${AD_top_domain} $(hostname) 'id -Z'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[root@ibm-x3620m3-01 ~]# ssh -K -l aduser1@${AD_TOP_REALM} $(hostname) 'id -Z'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[root@ibm-x3620m3-01 ~]# ssh -K -l "${AD_top_netbios}\\aduser1" $(hostname) 'id -Z'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[root@ibm-x3620m3-01 ~]# ssh -K -l "${AD_top_netbios,,}\\aduser1" $(hostname) 'id -Z'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023


* https://bugzilla.redhat.com/show_bug.cgi?id=1073635


[root@ibm-x3620m3-01 ~]# ipa group-add-member gr1073635 --groups=gr1073635_ext
  Group name: gr1073635
  Description: 0
  GID: 1119800015
  Member groups: gr1073635_ext
-------------------------
Number of members added 1
-------------------------
[root@ibm-x3620m3-01 ~]# ipa group-add-member gr1073635_ext --users='' --groups='' \
>             --external="aduser1@${AD_top_domain}"
  Group name: gr1073635_ext
  Description: 0
  External member: S-1-5-21-1910160501-511572375-3625658879-1313
  Member of groups: gr1073635
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3620m3-01 ~]# ipa selinuxusermap-add-host selinux_1073635 --hosts=$MASTER
  Rule name: selinux_1073635
  SELinux User: staff_u:s0-s0:c0.c1023
  Enabled: TRUE
  User Groups: gr1073635
  Hosts: ibm-x3620m3-01.steeve2011.test
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3620m3-01 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

[root@ibm-x3620m3-01 ~]# kdestroy -A

[root@ibm-x3620m3-01 ~]# echo ${AD_top_pswd}|kinit aduser1@${AD_TOP_REALM}
Password for aduser1@ADTEST.QE:

[root@ibm-x3620m3-01 ~]# ssh -K -l aduser1@${AD_top_domain} $(hostname) 'id -Z'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Comment 1 Jakub Hrozek 2014-12-02 10:40:53 UTC
Please attach logs.

Assigning to Lukas for investigation as he was already poking at the issue.

Comment 3 Lukas Slebodnik 2014-12-02 10:55:08 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2512

Comment 5 Steeve Goveas 2014-12-02 13:20:49 UTC
Created attachment 963749 [details]
sssd_ipa.domain.log files for bz1075663 test

Comment 6 Steeve Goveas 2014-12-02 13:22:12 UTC
Created attachment 963752 [details]
sssd_ipa.domain.log files for bz1073635 test

Comment 7 Jakub Hrozek 2014-12-02 14:00:14 UTC
Thank you very much, a patch is on the list now.

Comment 8 Namita Soman 2014-12-03 20:54:40 UTC
Seeing it with regular (non-AD) users as well - so should doctext be revised?

# ipa user-add one
# ipa passwd one
# kinit one
# kinit admin

# ipa selinuxusermap-add selinuxusermaprule1 --selinuxuser=staff_u:s0-s0:c0.c1023
--------------------------------------------
Added SELinux User Map "selinuxusermaprule1"
--------------------------------------------
  Rule name: selinuxusermaprule1
  SELinux User: staff_u:s0-s0:c0.c1023
  Enabled: TRUE

# ipa selinuxusermap-add-user selinuxusermaprule1 --users=one
  Rule name: selinuxusermaprule1
  SELinux User: staff_u:s0-s0:c0.c1023
  Enabled: TRUE
  Users: one
-------------------------
Number of members added 1
-------------------------

# ipa selinuxusermap-add-host selinuxusermaprule1 --hosts=qe-blade-01.testrelm.test
  Rule name: selinuxusermaprule1
  SELinux User: staff_u:s0-s0:c0.c1023
  Enabled: TRUE
  Users: one
  Hosts: qe-blade-01.testrelm.test
-------------------------
Number of members added 1
-------------------------

# ipa selinuxusermap-show selinuxusermaprule1 --all
  dn: ipaUniqueID=836be4f2-7b2d-11e4-95b3-3440b58fae6b,cn=usermap,cn=selinux,dc=testrelm,dc=test
  Rule name: selinuxusermaprule1
  SELinux User: staff_u:s0-s0:c0.c1023
  Enabled: TRUE
  Users: one
  Hosts: qe-blade-01.testrelm.test
  ipauniqueid: 836be4f2-7b2d-11e4-95b3-3440b58fae6b
  objectclass: ipaselinuxusermap, ipaassociation

# kinit one

# ssh -l one qe-blade-01.testrelm.test id -Z
Could not chdir to home directory /home/one: No such file or directory
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Comment 9 Lukas Slebodnik 2014-12-03 21:01:00 UTC
It will not work for ipa users if the option use_fully_qualified_names is enabled in ipa domain (sssd.conf).

Comment 10 Jakub Hrozek 2014-12-08 09:44:46 UTC
* master: b02eda90e9c6d6666af55041b1b12f5ac2f47b73

Comment 12 Steeve Goveas 2015-01-06 15:01:46 UTC
Verified in version
ipa-server-4.1.0-13.el7.x86_64
sssd-ipa-1.12.2-39.el7.x86_64

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa_trust_func_bug_1075663: SSSD should create the SELinux mapping file with format expected by pam_selinux
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [  BEGIN   ] :: Running 'kdestroy -A'
:: [   PASS   ] :: Command 'kdestroy -A' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'echo Secret123|kinit admin'
Password for admin@RDUSTV1911.TEST: 
:: [   PASS   ] :: Command 'echo Secret123|kinit admin' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa group-add --desc=0 gr1075663'
-----------------------
Added group "gr1075663"
-----------------------
  Group name: gr1075663
  Description: 0
  GID: 1039800006
:: [   PASS   ] :: Command 'ipa group-add --desc=0 gr1075663' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa group-add --desc=0 gr1075663_ext --external'
---------------------------
Added group "gr1075663_ext"
---------------------------
  Group name: gr1075663_ext
  Description: 0
:: [   PASS   ] :: Command 'ipa group-add --desc=0 gr1075663_ext --external' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa group-add-member gr1075663 --groups=gr1075663_ext'
  Group name: gr1075663
  Description: 0
  GID: 1039800006
  Member groups: gr1075663_ext
-------------------------
Number of members added 1
-------------------------
:: [   PASS   ] :: Command 'ipa group-add-member gr1075663 --groups=gr1075663_ext' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa group-add-member gr1075663_ext --users='' --groups=''             --external='aduser1@ipaad2012r2.test''
  Group name: gr1075663_ext
  Description: 0
  External member: S-1-5-21-547465014-1205121312-3291251547-1105
  Member of groups: gr1075663
-------------------------
Number of members added 1
-------------------------
:: [   PASS   ] :: Command 'ipa group-add-member gr1075663_ext --users='' --groups=''             --external='aduser1@ipaad2012r2.test'' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa selinuxusermap-add --hostcat=all --selinuxuser='staff_u:s0-s0:c0.c1023'             selinux_1075663'
----------------------------------------
Added SELinux User Map "selinux_1075663"
----------------------------------------
  Rule name: selinux_1075663
  SELinux User: staff_u:s0-s0:c0.c1023
  Host category: all
  Enabled: TRUE
:: [   PASS   ] :: Command 'ipa selinuxusermap-add --hostcat=all --selinuxuser='staff_u:s0-s0:c0.c1023'             selinux_1075663' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa selinuxusermap-add-user selinux_1075663 --groups=gr1075663'
  Rule name: selinux_1075663
  SELinux User: staff_u:s0-s0:c0.c1023
  Host category: all
  Enabled: TRUE
  User Groups: gr1075663
-------------------------
Number of members added 1
-------------------------
:: [   PASS   ] :: Command 'ipa selinuxusermap-add-user selinux_1075663 --groups=gr1075663' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'su - aduser1@ipaad2012r2.test -c             'echo aduser1@IPAAD2012R2.TEST >> ~/.k5login''
:: [   PASS   ] :: Command 'su - aduser1@ipaad2012r2.test -c             'echo aduser1@IPAAD2012R2.TEST >> ~/.k5login'' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'su - aduser1@ipaad2012r2.test -c             'cat ~/.k5login''
aduser1@IPAAD2012R2.TEST
:: [   PASS   ] :: Command 'su - aduser1@ipaad2012r2.test -c             'cat ~/.k5login'' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start'
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
:: [   PASS   ] :: Command 'service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'kdestroy -A'
:: [   PASS   ] :: Command 'kdestroy -A' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'echo Secret123|kinit aduser1@IPAAD2012R2.TEST'
Password for aduser1@IPAAD2012R2.TEST: 
:: [   PASS   ] :: Command 'echo Secret123|kinit aduser1@IPAAD2012R2.TEST' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ssh -K -l aduser1@ipaad2012r2.test ipaqavmh.rdustv1911.test 'id -Z' > ipa_trust_func_bug_1075663.GCLRFD 2>&1'
:: [   PASS   ] :: Command 'ssh -K -l aduser1@ipaad2012r2.test ipaqavmh.rdustv1911.test 'id -Z' > ipa_trust_func_bug_1075663.GCLRFD 2>&1' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'cat ipa_trust_func_bug_1075663.GCLRFD'
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [   PASS   ] :: Command 'cat ipa_trust_func_bug_1075663.GCLRFD' (Expected 0, got 0)
:: [   PASS   ] :: File 'ipa_trust_func_bug_1075663.GCLRFD' should contain 'staff_u.*:s0-s0:c0.c1023' 
:: [  BEGIN   ] :: Running 'ssh -K -l aduser1@IPAAD2012R2.TEST ipaqavmh.rdustv1911.test 'id -Z' > ipa_trust_func_bug_1075663.GCLRFD 2>&1'
:: [   PASS   ] :: Command 'ssh -K -l aduser1@IPAAD2012R2.TEST ipaqavmh.rdustv1911.test 'id -Z' > ipa_trust_func_bug_1075663.GCLRFD 2>&1' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'cat ipa_trust_func_bug_1075663.GCLRFD'
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [   PASS   ] :: Command 'cat ipa_trust_func_bug_1075663.GCLRFD' (Expected 0, got 0)
:: [   PASS   ] :: File 'ipa_trust_func_bug_1075663.GCLRFD' should contain 'staff_u.*:s0-s0:c0.c1023' 
:: [  BEGIN   ] :: Running 'ssh -K -l 'IPAAD2012R2duser1' ipaqavmh.rdustv1911.test 'id -Z' > ipa_trust_func_bug_1075663.GCLRFD 2>&1'
:: [   PASS   ] :: Command 'ssh -K -l 'IPAAD2012R2\aduser1' ipaqavmh.rdustv1911.test 'id -Z' > ipa_trust_func_bug_1075663.GCLRFD 2>&1' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'cat ipa_trust_func_bug_1075663.GCLRFD'
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [   PASS   ] :: Command 'cat ipa_trust_func_bug_1075663.GCLRFD' (Expected 0, got 0)
:: [   PASS   ] :: File 'ipa_trust_func_bug_1075663.GCLRFD' should contain 'staff_u.*:s0-s0:c0.c1023' 
:: [  BEGIN   ] :: Running 'ssh -K -l 'ipaad2012r2duser1' ipaqavmh.rdustv1911.test 'id -Z' > ipa_trust_func_bug_1075663.GCLRFD 2>&1'
:: [   PASS   ] :: Command 'ssh -K -l 'ipaad2012r2\aduser1' ipaqavmh.rdustv1911.test 'id -Z' > ipa_trust_func_bug_1075663.GCLRFD 2>&1' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'cat ipa_trust_func_bug_1075663.GCLRFD'
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [   PASS   ] :: Command 'cat ipa_trust_func_bug_1075663.GCLRFD' (Expected 0, got 0)
:: [   PASS   ] :: File 'ipa_trust_func_bug_1075663.GCLRFD' should contain 'staff_u.*:s0-s0:c0.c1023' 
:: [   PASS   ] :: BZ 1075663 not found 
:: [  BEGIN   ] :: Running 'kdestroy -A'
:: [   PASS   ] :: Command 'kdestroy -A' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'echo Secret123|kinit admin'
Password for admin@RDUSTV1911.TEST: 
:: [   PASS   ] :: Command 'echo Secret123|kinit admin' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa group-del gr1075663_ext'
-----------------------------
Deleted group "gr1075663_ext"
-----------------------------
:: [   PASS   ] :: Command 'ipa group-del gr1075663_ext' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa group-del gr1075663'
-------------------------
Deleted group "gr1075663"
-------------------------
:: [   PASS   ] :: Command 'ipa group-del gr1075663' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa selinuxusermap-del selinux_1075663'
------------------------------------------
Deleted SELinux User Map "selinux_1075663"
------------------------------------------
:: [   PASS   ] :: Command 'ipa selinuxusermap-del selinux_1075663' (Expected 0, got 0)



::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa_trust_func_bug_1073635: IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 07:55:09 ] :: First make sure selinuxusermap is to unconfined...
:: [  BEGIN   ] :: Running 'service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start'
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
:: [   PASS   ] :: Command 'service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'kdestroy -A'
:: [   PASS   ] :: Command 'kdestroy -A' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'echo Secret123|kinit aduser1@IPAAD2012R2.TEST'
Password for aduser1@IPAAD2012R2.TEST: 
:: [   PASS   ] :: Command 'echo Secret123|kinit aduser1@IPAAD2012R2.TEST' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ssh -K -l aduser1@ipaad2012r2.test ipaqavmh.rdustv1911.test 'id -Z' > ipa_trust_func_bug_1073635.HvhL70 2>&1'
:: [   PASS   ] :: Command 'ssh -K -l aduser1@ipaad2012r2.test ipaqavmh.rdustv1911.test 'id -Z' > ipa_trust_func_bug_1073635.HvhL70 2>&1' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'cat ipa_trust_func_bug_1073635.HvhL70'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Command 'cat ipa_trust_func_bug_1073635.HvhL70' (Expected 0, got 0)
:: [   PASS   ] :: File 'ipa_trust_func_bug_1073635.HvhL70' should contain 'unconfined_u.*:s0-s0:c0.c1023' 
:: [ 07:55:19 ] :: Now Setup groups and selinuxusermap rule
:: [  BEGIN   ] :: Running 'kdestroy -A'
:: [   PASS   ] :: Command 'kdestroy -A' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'echo Secret123|kinit admin'
Password for admin@RDUSTV1911.TEST: 
:: [   PASS   ] :: Command 'echo Secret123|kinit admin' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa group-add --desc=0 gr1073635'
-----------------------
Added group "gr1073635"
-----------------------
  Group name: gr1073635
  Description: 0
  GID: 1039800007
:: [   PASS   ] :: Command 'ipa group-add --desc=0 gr1073635' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa group-add --desc=0 gr1073635_ext --external'
---------------------------
Added group "gr1073635_ext"
---------------------------
  Group name: gr1073635_ext
  Description: 0
:: [   PASS   ] :: Command 'ipa group-add --desc=0 gr1073635_ext --external' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa group-add-member gr1073635 --groups=gr1073635_ext'
  Group name: gr1073635
  Description: 0
  GID: 1039800007
  Member groups: gr1073635_ext
-------------------------
Number of members added 1
-------------------------
:: [   PASS   ] :: Command 'ipa group-add-member gr1073635 --groups=gr1073635_ext' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa group-add-member gr1073635_ext --users='' --groups=''             --external='aduser1@ipaad2012r2.test''
  Group name: gr1073635_ext
  Description: 0
  External member: S-1-5-21-547465014-1205121312-3291251547-1105
  Member of groups: gr1073635
-------------------------
Number of members added 1
-------------------------
:: [   PASS   ] :: Command 'ipa group-add-member gr1073635_ext --users='' --groups=''             --external='aduser1@ipaad2012r2.test'' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa selinuxusermap-add --selinuxuser='staff_u:s0-s0:c0.c1023' selinux_1073635'
----------------------------------------
Added SELinux User Map "selinux_1073635"
----------------------------------------
  Rule name: selinux_1073635
  SELinux User: staff_u:s0-s0:c0.c1023
  Enabled: TRUE
:: [   PASS   ] :: Command 'ipa selinuxusermap-add --selinuxuser='staff_u:s0-s0:c0.c1023' selinux_1073635' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa selinuxusermap-add-user selinux_1073635 --groups=gr1073635'
  Rule name: selinux_1073635
  SELinux User: staff_u:s0-s0:c0.c1023
  Enabled: TRUE
  User Groups: gr1073635
-------------------------
Number of members added 1
-------------------------
:: [   PASS   ] :: Command 'ipa selinuxusermap-add-user selinux_1073635 --groups=gr1073635' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa selinuxusermap-add-host selinux_1073635 --hosts=ipaqavmh.rdustv1911.test'
  Rule name: selinux_1073635
  SELinux User: staff_u:s0-s0:c0.c1023
  Enabled: TRUE
  User Groups: gr1073635
  Hosts: ipaqavmh.rdustv1911.test
-------------------------
Number of members added 1
-------------------------
:: [   PASS   ] :: Command 'ipa selinuxusermap-add-host selinux_1073635 --hosts=ipaqavmh.rdustv1911.test' (Expected 0, got 0)
:: [ 07:55:37 ] :: Now test selinuxusermap rule
:: [  BEGIN   ] :: Running 'service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start'
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
:: [   PASS   ] :: Command 'service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'kdestroy -A'
:: [   PASS   ] :: Command 'kdestroy -A' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'echo Secret123|kinit aduser1@IPAAD2012R2.TEST'
Password for aduser1@IPAAD2012R2.TEST: 
:: [   PASS   ] :: Command 'echo Secret123|kinit aduser1@IPAAD2012R2.TEST' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ssh -K -l aduser1@ipaad2012r2.test ipaqavmh.rdustv1911.test 'id -Z' > ipa_trust_func_bug_1073635.HvhL70 2>&1'
:: [   PASS   ] :: Command 'ssh -K -l aduser1@ipaad2012r2.test ipaqavmh.rdustv1911.test 'id -Z' > ipa_trust_func_bug_1073635.HvhL70 2>&1' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'cat ipa_trust_func_bug_1073635.HvhL70'
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [   PASS   ] :: Command 'cat ipa_trust_func_bug_1073635.HvhL70' (Expected 0, got 0)
:: [   PASS   ] :: File 'ipa_trust_func_bug_1073635.HvhL70' should contain 'staff_u.*:s0-s0:c0.c1023' 
:: [ 07:55:48 ] :: Now cleanup groups and rules
:: [  BEGIN   ] :: Running 'kdestroy -A'
:: [   PASS   ] :: Command 'kdestroy -A' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'echo Secret123|kinit admin'
Password for admin@RDUSTV1911.TEST: 
:: [   PASS   ] :: Command 'echo Secret123|kinit admin' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa group-del gr1073635'
-------------------------
Deleted group "gr1073635"
-------------------------
:: [   PASS   ] :: Command 'ipa group-del gr1073635' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa group-del gr1073635_ext'
-----------------------------
Deleted group "gr1073635_ext"
-----------------------------
:: [   PASS   ] :: Command 'ipa group-del gr1073635_ext' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa selinuxusermap-del selinux_1073635'
------------------------------------------
Deleted SELinux User Map "selinux_1073635"
------------------------------------------
:: [   PASS   ] :: Command 'ipa selinuxusermap-del selinux_1073635' (Expected 0, got 0)

Comment 15 errata-xmlrpc 2015-03-05 10:34:45 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0441.html


Note You need to log in before you can comment on or make changes to this bug.