Bug 1184982 - Need to set different umask in selinux_child
Summary: Need to set different umask in selinux_child
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Keywords: Regression
Depends On:
Blocks: RHEL7CCC
TreeView+ depends on / blocked
 
Reported: 2015-01-22 15:50 UTC by Jakub Hrozek
Modified: 2015-03-05 10:35 UTC (History)
12 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-03-05 10:35:20 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0441 normal SHIPPED_LIVE sssd bug fix and enhancement update 2015-03-05 15:05:27 UTC

Description Jakub Hrozek 2015-01-22 15:50:53 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2563

libsemanage calls mkdir() and then requires that the directory is created with permissions 0700. That doesn't work well for programs like sssd that set umask to a very restrictive value (like 177).

I consider this a bug in libsemanage, since they require custom permissions, they should set a sensible umask themselves, but we need to work around it for the short term.
Comment 1 Jakub Hrozek 2015-01-22 15:51:44 UTC 
User-visible effect might be that the directory /etc/selinux/targeted/modules/active is created with wrong permissions, preventing the semanage tools from working correctly.
Comment 3 Jakub Hrozek 2015-01-26 21:47:08 UTC 
To test:

0) set up an IPA client
1) Run ls -ld /etc/selinux/targeted/modules/active
   Note the access permissions and rights.
2) log in as an user who has a SELinux label assigned
3) Run ls -ld /etc/selinux/targeted/modules/active again

With the unpatched sssd, the permissions on the directory would be altered. The patched packages honor the permission libsemanage wants.
Comment 7 Jakub Hrozek 2015-01-27 17:12:38 UTC 
Fixed upstream:
    master: 8f78b6442f3176ee43aa06704a3adb9f4ac625d6
    sssd-1-12: b8894eb53017af67224d05470d2cdd2a65070a41
Comment 9 Nirupama Karandikar 2015-01-30 12:49:40 UTC 
Tested with sssd-1.12.2-52.el7.x86_64

1. Configure system as IPA client.

2. Check permissions of the following directory.

#  ls -ld /etc/selinux/targeted/modules/active
drwx------. 3 root root 4096 Jan 30 20:46 /etc/selinux/targeted/modules/active

3. Login with ipauser1
 
# ssh ipauser1@localhost
ipauser1@localhost's password: 
Last login: Fri Jan 30 20:45:43 2015 from localhost
-sh-4.2$ pwd
/home/ipauser1

4. Check permissions of the same directory. 

-sh-4.2$ ls -ld /etc/selinux/targeted/modules/active
drwx------. 3 root root 4096 Jan 30 20:46 /etc/selinux/targeted/modules/active
Comment 10 Miroslav Vadkerti 2015-02-03 10:36:20 UTC 
Confirmed. This bug is fixed with sssd-1.12.2-52.el7, there is a selinux-policy issue remaining though, but that will be resolved in BZ#1185962
Comment 12 errata-xmlrpc 2015-03-05 10:35:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0441.html
Note You need to log in before you can comment on or make changes to this bug.