1550037 – selinux prevents AD user ssh to Atomic host configured using sssd

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1550037 - selinux prevents AD user ssh to Atomic host configured using sssd

Summary: selinux prevents AD user ssh to Atomic host configured using sssd

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	container-selinux
Sub Component:
Version:	7.4
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Lokesh Mandvekar
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-02-28 11:31 UTC by Niranjan Mallapadi Raghavender
Modified:	2018-04-11 00:03 UTC (History)
CC List:	8 users (show)
Fixed In Version:	container-selinux-2.42-1.gitad8f0f7.el7, container-selinux-2.48-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-11 00:03:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:1073	0	None	None	None	2018-04-11 00:03:32 UTC

Description Niranjan Mallapadi Raghavender 2018-02-28 11:31:23 UTC

Description of problem:

On RHEL Atomic Host configured to authenticate to Windows Active Directory using sssd system container. AD user is unable to logon due to selinux denial 



Version-Release number of selected component (if applicable):


[root@host-8-244-68 sssd]# atomic host status
State: idle
Deployments:
● ostree://rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
                   Version: 7.5.0 (2018-02-22 15:51:49)
                    Commit: 474534b1a1a2945c8ff2ad72cb646aaa25ec7b2d9fa9413a99a8cd2ef885dfdc

  ostree://rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
                   Version: 7.4.1 (2017-08-30 19:29:56)
                    Commit: e83c16780259c5272684221e2a6007300d94bbfdc5432f9ab6025300f447145b

sssd-docker-7.4.18
selinux-policy-3.13.1-166.el7_4.8.noarch

Steps to Reproduce:

1. Add Windows AD system ip address in /etc/resolv.conf
2. Add Windows Administrator password to /etc/sssd/realm-join-password
3. Join Atomic Host to AD domain
       atomic install rhel7/sssd realm join  -v --membership-software=adcli JUNO.TEST
4. Restart sssd process

5. Run id command to verify AD users are visible on Atomic Host
[root@atomic-6830 sssd]# id Administrator

uid=842000500(administrator) gid=842000513(domain users) groups=842000513(domain users),842000519(enterprise admins),842000520(group policy creator owners),842000512(domain admins),842000518(schema admins),842000572(denied rodc password replication group)


5. Login using ssh to Atomic Host using Administrator user

Actual results:

AD user fails to Login

Expected results:

AD user should be able to Login


Additional info:

[root@atomic-6830 sssd]# ssh Administrator@localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:L9hHCedOXhD3Fc+QCmvePfFpNDjAHVlGlwhYj98CQUI.
ECDSA key fingerprint is MD5:32:58:4e:97:90:85:d7:de:2a:55:00:4f:3c:17:b7:5c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Administrator@localhost's password:
Permission denied, please try again.
Administrator@localhost's password: 


Following SELinux AVC messages are seen:

Feb 28 11:28:03 atomic-6830.testrelm.test sshd[14574]: input_userauth_request: invalid user Administrator [preauth]
Feb 28 11:28:03 atomic-6830.testrelm.test sshd[14574]: PAM unable to dlopen(/usr/lib64/security/pam_oddjob_mkhomedir.so): /usr/lib64/security/pam_oddjob_mkhomedir.so: cannot open shared object file: No such file or directory
Feb 28 11:28:03 atomic-6830.testrelm.test sshd[14574]: PAM adding faulty module: /usr/lib64/security/pam_oddjob_mkhomedir.so
Feb 28 11:28:05 atomic-6830.testrelm.test kernel: type=1400 audit(1519817285.830:10): avc:  denied  { connectto } for  pid=14574 comm="sshd" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spc_t:s0 tclass=unix_stream_socket
Feb 28 11:28:05 atomic-6830.testrelm.test kernel: type=1400 audit(1519817285.834:11): avc:  denied  { connectto } for  pid=14574 comm="sshd" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spc_t:s0 tclass=unix_stream_socket
Feb 28 11:28:05 atomic-6830.testrelm.test kernel: type=1400 audit(1519817285.838:12): avc:  denied  { connectto } for  pid=14574 comm="sshd" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spc_t:s0 tclass=unix_stream_socket
Feb 28 11:28:05 atomic-6830.testrelm.test sshd[14574]: pam_unix(sshd:auth): check pass; user unknown
Feb 28 11:28:05 atomic-6830.testrelm.test sshd[14574]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
Feb 28 11:28:05 atomic-6830.testrelm.test kernel: type=1400 audit(1519817285.842:13): avc:  denied  { connectto } for  pid=14574 comm="sshd" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spc_t:s0 tclass=unix_stream_socket
Feb 28 11:28:08 atomic-6830.testrelm.test sshd[14574]: Failed password for invalid user Administrator from ::1 port 47160 ssh2
Feb 28 11:28:24 atomic-6830.testrelm.test sshd[14574]: Connection closed by ::1 port 47160 [preauth]



sssd.conf:
[sssd]
domains = juno.test
config_file_version = 2
services = nss, pam

[domain/juno.test]
ad_domain = juno.test
krb5_realm = JUNO.TEST
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

Comment 5 Niranjan Mallapadi Raghavender 2018-02-28 11:48:49 UTC

Atomic Host Version is below:

● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
                   Version: 7.4.5 (2018-02-22 18:40:44)
                    Commit: e5bc41cb8a4c990382efc992e7dc96a609635edbad178e5a04589491eed97fee

  rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
                   Version: 7.4.1 (2017-08-30 19:29:56)
                    Commit: e83c16780259c5272684221e2a6007300d94bbfdc5432f9ab6025300f447145b

Comment 7 Daniel Walsh 2018-02-28 16:22:12 UTC

We just built a new container-selinux into rhel7.5 could you check if this solves your issues.

I think the issues were caused by typebounds removing some allow rules from bounded domains.

unconfined_t -> spc_t 

Was causing allow rules that allowed every process to communicate with spc_t to be dropped since we don't allow every process to communicate with unconfined_t.

The latest container-selinux drops typebounds to use new nnp_transition rules.

Comment 8 Niranjan Mallapadi Raghavender 2018-02-28 16:46:55 UTC

The issue is seen in RHEL7.4.5  latest compose of Atomic Host , So would this patch be also available in 7.4.5 

$ rpm -q -a container-selinux selinux-policy 
container-selinux-2.41-1.git126c1c0.el7.noarch
selinux-policy-3.13.1-166.el7_4.8.noarch

Comment 9 Lukas Vrabec 2018-02-28 16:58:19 UTC

Fix should be in container-selinux package. We probably need Z-stream bz here. Moving to right component.

Comment 10 Daniel Walsh 2018-02-28 17:47:16 UTC

container-selinux-2.42-1.gitad8f0f7.el7 should have fixed this.

Comment 19 errata-xmlrpc 2018-04-11 00:03:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1073

Note You need to log in before you can comment on or make changes to this bug.