RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1184982 - Need to set different umask in selinux_child
Summary: Need to set different umask in selinux_child
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: RHEL7CCC
TreeView+ depends on / blocked
 
Reported: 2015-01-22 15:50 UTC by Jakub Hrozek
Modified: 2020-05-02 17:56 UTC (History)
12 users (show)

Fixed In Version: sssd-1.12.2-52.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 10:35:20 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3605 0 None None None 2020-05-02 17:56:03 UTC
Red Hat Product Errata RHBA-2015:0441 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2015-03-05 15:05:27 UTC

Description Jakub Hrozek 2015-01-22 15:50:53 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2563

libsemanage calls mkdir() and then requires that the directory is created with permissions 0700. That doesn't work well for programs like sssd that set umask to a very restrictive value (like 177).

I consider this a bug in libsemanage, since they require custom permissions, they should set a sensible umask themselves, but we need to work around it for the short term.

Comment 1 Jakub Hrozek 2015-01-22 15:51:44 UTC
User-visible effect might be that the directory /etc/selinux/targeted/modules/active is created with wrong permissions, preventing the semanage tools from working correctly.

Comment 3 Jakub Hrozek 2015-01-26 21:47:08 UTC
To test:

0) set up an IPA client
1) Run ls -ld /etc/selinux/targeted/modules/active
   Note the access permissions and rights.
2) log in as an user who has a SELinux label assigned
3) Run ls -ld /etc/selinux/targeted/modules/active again

With the unpatched sssd, the permissions on the directory would be altered. The patched packages honor the permission libsemanage wants.

Comment 7 Jakub Hrozek 2015-01-27 17:12:38 UTC
Fixed upstream:
    master: 8f78b6442f3176ee43aa06704a3adb9f4ac625d6
    sssd-1-12: b8894eb53017af67224d05470d2cdd2a65070a41

Comment 9 Nirupama Karandikar 2015-01-30 12:49:40 UTC
Tested with sssd-1.12.2-52.el7.x86_64

1. Configure system as IPA client.

2. Check permissions of the following directory.

#  ls -ld /etc/selinux/targeted/modules/active
drwx------. 3 root root 4096 Jan 30 20:46 /etc/selinux/targeted/modules/active

3. Login with ipauser1
 
# ssh ipauser1@localhost
ipauser1@localhost's password: 
Last login: Fri Jan 30 20:45:43 2015 from localhost
-sh-4.2$ pwd
/home/ipauser1

4. Check permissions of the same directory. 

-sh-4.2$ ls -ld /etc/selinux/targeted/modules/active
drwx------. 3 root root 4096 Jan 30 20:46 /etc/selinux/targeted/modules/active

Comment 10 Miroslav Vadkerti 2015-02-03 10:36:20 UTC
Confirmed. This bug is fixed with sssd-1.12.2-52.el7, there is a selinux-policy issue remaining though, but that will be resolved in BZ#1185962

Comment 12 errata-xmlrpc 2015-03-05 10:35:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0441.html


Note You need to log in before you can comment on or make changes to this bug.