RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1619706 - sssd only sets the SELinux login context if it differs from the default
Summary: sssd only sets the SELinux login context if it differs from the default
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.5
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks: 1628503 1645044 1645047
TreeView+ depends on / blocked
 
Reported: 2018-08-21 14:20 UTC by German Parente
Modified: 2022-03-13 15:26 UTC (History)
17 users (show)

Fixed In Version: sssd-1.16.2-14.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1628503 1645044 1645047 (view as bug list)
Environment:
Last Closed: 2019-08-06 13:02:02 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
test_selinux (6.82 KB, text/plain)
2018-09-03 19:27 UTC, aheverle 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 4813 0 None closed sssd only sets the SELinux login context if it differs from the default 2020-05-25 06:26:02 UTC
Red Hat Knowledge Base (Solution) 3612271 0 None None None 2018-09-13 09:00:06 UTC
Red Hat Product Errata RHSA-2019:2177 0 None None None 2019-08-06 13:02:37 UTC

Description German Parente 2018-08-21 14:20:14 UTC 
Description of problem:

We have a difference between sssd 7.4 and sssd 7.5

In 7.4 semanage is called and the selinux mapping is set.

In 7.5 it's not called.

We can see this here:

    ret = sss_get_seuser(username, &db_seuser, &db_mls_range);
    DEBUG(SSSDBG_TRACE_INTERNAL,
          "getseuserbyname: ret: %d seuser: %s mls: %s\n",
          ret, db_seuser ? db_seuser : "unknown",
          db_mls_range ? db_mls_range : "unknown");
    if (ret == EOK && db_seuser && db_mls_range &&
            strcmp(db_seuser, seuser) == 0 &&
            strcmp(db_mls_range, mls_range) == 0) {
        needs_update = false;
    }

The function seuser_needs_update is returning FALSE. After adding some DEBUG to RHEL7.5 code:

(Tue Aug 21 09:54:21 2018) [[sssd[selinux_child[4368]]]] [seuser_needs_update] (0x2000): getseuserbyname: ret: 0 seuser: unconfined_u mls: s0-s0:c0.c1023
(Tue Aug 21 09:54:21 2018) [[sssd[selinux_child[4368]]]] [seuser_needs_update] (0x2000): needs_update is false

So, this is not called:

    if (needs_update == true) {
        ret = sc_set_seuser(username, ibuf->seuser, ibuf->mls_range);

IN RHEL7.5:

logging with user gparente that has:

Home directory: /foo/gparente

semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *


in RHEL7.4 after logging with same user:
semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
admin                unconfined_u         s0-s0:c0.c1023       *
...
gparente             unconfined_u         s0-s0:c0.c1023       *
...
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *


Version-Release number of selected component (if applicable): sssd-1.16.0-19.el7_5.5.x86_64


How reproducible: always.
Comment 2 Jakub Hrozek 2018-08-21 14:48:11 UTC 
Is this connected to the case we discussed yesterday with the homedir permissions?

Because from the description only, I don't see why this is an issue, it's an optimization. As you can see, __default__ is unconfined_u and if the 7.5 version doesn't set unconfined_u explicitly, the default will apply.

btw does this issue happen also if you set the SELinux mapping to something else than unconfined? In other words, is this an issue with setting the context or just not setting the default context.
Comment 3 Renaud Métrich 2018-08-21 14:57:43 UTC 
Yes it is connected.

The issue with this "optimization" is that users which are mapped to default "unconfined_u" are not mapped anymore.
This breaks if homedir for user is *not* the standard one, i.e.:
- /home/<user>
or
- /home/<domain>/<user> and no equivalency context has been put in place for /home/<domain>
or
- some other dir e.g. /opt/home/<user> which is defined in backend's user entry and no equivalency context has been put in place manually
Comment 4 Jakub Hrozek 2018-08-21 15:09:36 UTC 
Yes, I just confirmed that with Petr Lautrbach. We need to fix this in SSSD, I guess.

Removing the optimization would be easy, but then every login would incur a substantial IO hit, because setting the context is quite costly. We've already had users disabling the selinux provider just to get better performance, even with this optimization.
Comment 5 Renaud Métrich 2018-08-21 15:12:53 UTC 
I guess the mapping needs to be done only if user's home dir will not have appropriate context.
This check needs probably to be done through some new libsemanage API ...
Comment 6 Jakub Hrozek 2018-08-24 10:32:37 UTC 
I think I have a local patch that fixes the issue. Is it possible if either of you test a package I provide?
Comment 21 aheverle 2018-09-03 19:27:53 UTC 
Created attachment 1480598 [details]
test_selinux
Comment 22 Jakub Hrozek 2018-09-04 10:41:07 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3819
Comment 37 Sumedh Sidhaye 2019-05-16 07:18:09 UTC 
Builds used for verification:
[root@kvm-01-guest03 ~]# rpm -qa sssd ipa-server
ipa-server-4.6.5-8.el7.x86_64
sssd-1.16.4-13.el7.x86_64

Steps:
1. ipa user-add testuser2 --first  test2 --last user --password
2. ssh testuser2.test
3. semanage login -l

Actual Results:
[root@kvm-01-guest03 ~]# ipa user-add testuser2 --first  test2 --last user --password
Password: 
Enter Password again to verify: 
----------------------
Added user "testuser2"
----------------------
  User login: testuser2
  First name: test2
  Last name: user
  Full name: test2 user
  Display name: test2 user
  Initials: tu
  Home directory: /home/testuser2
  GECOS: test2 user
  Login shell: /bin/sh
  Principal name: testuser2
  Principal alias: testuser2
  User password expiration: 20190516064618Z
  Email address: testuser2
  UID: 628800004
  GID: 628800004
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
[root@kvm-01-guest03 ~]# hostname
kvm-01-guest03.testrelm.test
[root@kvm-01-guest03 ~]# ssh testuser2.test
Password: 
Password expired. Change your password now.
Current Password: 
Password change failed. Server message: Old password not accepted.

Password: 
Password expired. Change your password now.
Current Password: 
New password: 
Retype new password: 
Last failed login: Thu May 16 09:47:10 IDT 2019 from kvm-01-guest03.testrelm.test on ssh:notty
There was 1 failed login attempt since the last successful login.
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
                 This System is reserved by ssidhaye.

 To return this system early. You can run the command: return2beaker.sh
  Ensure you have your logs off the system before returning to Beaker

 To extend your reservation time. You can run the command:
  extendtesttime.sh
 This is an interactive script. You will be prompted for how many
  hours you would like to extend the reservation.

 You should verify the watchdog was updated succesfully after
  you extend your reservation.
  https://beaker.engineering.redhat.com/recipes/6867964

 For ssh, kvm, serial and power control operations please look here:
  https://beaker.engineering.redhat.com/view/kvm-01-guest03.testrelm.test

 For the default root password, see:
  https://beaker.engineering.redhat.com/prefs/

      Beaker Test information:
                         HOSTNAME=kvm-01-guest03.testrelm.test
                            JOBID=3538096
                         RECIPEID=6867964
                    RESULT_SERVER=[::1]:7095
                           DISTRO=RHEL-7.7-20190514.n.0
                     ARCHITECTURE=x86_64

      Job Whiteboard: 7.7-candidate ssidhaye BZ verification

      Recipe Whiteboard: M
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
Could not chdir to home directory /home/testuser2: No such file or directory
-sh-4.2$ logout
Connection to kvm-01-guest03.testrelm.test closed.
[root@kvm-01-guest03 ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *
test201              unconfined_u         s0-s0:c0.c1023       *
testuser             unconfined_u         s0-s0:c0.c1023       *
testuser2            unconfined_u         s0-s0:c0.c1023       *


Based on above observations marking the bugzilla verified.
Comment 40 errata-xmlrpc 2019-08-06 13:02:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2177
Note You need to log in before you can comment on or make changes to this bug.