Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
When in user context (id -Z is user_u:user_r:user_t:s0) and SELinux is enabled, any ipa command will give "IPA client is not configured on this system
". When SELinux is disabled all works fine.
Version-Release number of selected component (if applicable):
selinux-policy.noarch 3.13.1-229.el7_6.6
selinux-policy-targeted.noarch 3.13.1-229.el7_6.6
ipa-client.x86_64 4.6.4-10.el7.centos
ipa-client-common.noarch 4.6.4-10.el7.centos
How reproducible:
always
Steps to Reproduce:
1.
2.
3.
Actual results:
"IPA client is not configured on this system"
Expected results:
normal ipa command output
Additional info:
with SELinux in debug mode (semodule -DB ) and ausearch i found out ipa-client needs:
#============= user_t ==============
allow user_t realmd_var_lib_t:dir search;
allow user_t realmd_var_lib_t:dir getattr;
allow user_t realmd_var_lib_t:dir open;
allow user_t realmd_var_lib_t:dir read;
Comment 2Florence Blanc-Renaud
2019-02-06 13:17:52 UTC
Issue is reproducible with the following steps:
[root@master]$ kinit admin
[root@master]$ echo Secret123 | ipa user-add user1 --first user1 --last user1 --password
[root@master]$ ipa selinuxusermap-add user --selinuxuser user_u:s0 --hostcat=all
[root@master]$ ipa selinuxusermap-add-user user --users=user1
[root@master]$ ssh -l user1 `hostname`
Password:
Password expired. Change your password now.
Current Password:
New password:
Retype new password:
-sh-4.2$ id -Z
user_u:user_r:user_t:s0
-sh-4.2$ ipa user-find
IPA client is not configured on this system
The ipa * commands check if the machine is a client by ensuring that /etc/ipa/default.conf exists and /var/lib/ipa-client/sysrestore directory exists.
user_u doesn't have access to /var/lib/ipa-client/sysrestore directory:
As user1:
-sh-4.2$ ls -l /var/lib/ipa-client/sysrestore
ls: cannot access /var/lib/ipa-client/sysrestore: Permission denied
Hi,
This is an expected behavior of the current SELinux policy.
To see the AVCs you will have to disable the dontaudit rules first "semodule -DB" and then reproduce the issue. To re-enable dontaudit use "semodule -B".
To workaround the issue you can try the following:
Create a myusers.te file containing:
###################
module myusers 1.0;
require {
type realmd_var_lib_t;
type user_t;
class dir { getattr open read search };
}
#============= user_t ==============
allow user_t realmd_var_lib_t:dir { getattr open read search };
###################
Compile it:
###################
# checkmodule -M -m -o myusers.mod myusers.te
checkmodule: loading policy configuration from myusers.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 19) to myusers.mod
# semodule_package -o myusers.pp -m myusers.mod
###################
Load the module:
###################
# semodule -i myusers.pp
###################
and then it should work.
Additional notes: the only directory labeled realmd_var_lib_t is /var/lib/ipa-client:
###################
/var/lib/ipa-client(/.*)? all files system_u:object_r:realmd_var_lib_t:s0
###################
If you are using CentOS (ipa-client.x86_64 4.6.4-10.el7.centos) please use the users mailing list at https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/
In order to compile the module, you should issue the following command instead, assuming "myusers.te" file exists:
# make -f /usr/share/selinux/devel/Makefile myusers.pp
Renaud.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2019:2127