Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2563
libsemanage calls mkdir() and then requires that the directory is created with permissions 0700. That doesn't work well for programs like sssd that set umask to a very restrictive value (like 177).
I consider this a bug in libsemanage, since they require custom permissions, they should set a sensible umask themselves, but we need to work around it for the short term.
User-visible effect might be that the directory /etc/selinux/targeted/modules/active is created with wrong permissions, preventing the semanage tools from working correctly.
To test:
0) set up an IPA client
1) Run ls -ld /etc/selinux/targeted/modules/active
Note the access permissions and rights.
2) log in as an user who has a SELinux label assigned
3) Run ls -ld /etc/selinux/targeted/modules/active again
With the unpatched sssd, the permissions on the directory would be altered. The patched packages honor the permission libsemanage wants.
Comment 9Nirupama Karandikar
2015-01-30 12:49:40 UTC
Tested with sssd-1.12.2-52.el7.x86_64
1. Configure system as IPA client.
2. Check permissions of the following directory.
# ls -ld /etc/selinux/targeted/modules/active
drwx------. 3 root root 4096 Jan 30 20:46 /etc/selinux/targeted/modules/active
3. Login with ipauser1
# ssh ipauser1@localhost
ipauser1@localhost's password:
Last login: Fri Jan 30 20:45:43 2015 from localhost
-sh-4.2$ pwd
/home/ipauser1
4. Check permissions of the same directory.
-sh-4.2$ ls -ld /etc/selinux/targeted/modules/active
drwx------. 3 root root 4096 Jan 30 20:46 /etc/selinux/targeted/modules/active
Comment 10Miroslav Vadkerti
2015-02-03 10:36:20 UTC
Confirmed. This bug is fixed with sssd-1.12.2-52.el7, there is a selinux-policy issue remaining though, but that will be resolved in BZ#1185962
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHBA-2015-0441.html