RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1667962 - ipa-client blocked by SELinux in user context
Summary: ipa-client blocked by SELinux in user context
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.6
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-21 15:16 UTC by paul
Modified: 2019-08-06 12:53 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 12:52:54 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3904231 0 None None None 2019-02-12 10:23:46 UTC
Red Hat Product Errata RHBA-2019:2127 0 None None None 2019-08-06 12:53:18 UTC

Description paul 2019-01-21 15:16:44 UTC 
Description of problem:
When in user context (id -Z is user_u:user_r:user_t:s0) and SELinux is enabled, any ipa command will give "IPA client is not configured on this system
". When SELinux is disabled all works fine. 

Version-Release number of selected component (if applicable):
selinux-policy.noarch                       3.13.1-229.el7_6.6
selinux-policy-targeted.noarch              3.13.1-229.el7_6.6
ipa-client.x86_64                           4.6.4-10.el7.centos    
ipa-client-common.noarch                    4.6.4-10.el7.centos 

How reproducible:
always

Steps to Reproduce:
1.
2.
3.

Actual results:
"IPA client is not configured on this system"

Expected results:
normal ipa command output

Additional info:
with SELinux in debug mode (semodule -DB ) and ausearch i found out ipa-client needs:
#============= user_t ==============
allow user_t realmd_var_lib_t:dir search;
allow user_t realmd_var_lib_t:dir getattr;
allow user_t realmd_var_lib_t:dir open;
allow user_t realmd_var_lib_t:dir read;
Comment 2 Florence Blanc-Renaud 2019-02-06 13:17:52 UTC 
Issue is reproducible with the following steps:
[root@master]$ kinit admin
[root@master]$ echo Secret123 | ipa user-add user1 --first user1 --last user1 --password
[root@master]$ ipa selinuxusermap-add user --selinuxuser user_u:s0 --hostcat=all
[root@master]$ ipa selinuxusermap-add-user user --users=user1

[root@master]$ ssh -l user1 `hostname`
Password: 
Password expired. Change your password now.
Current Password: 
New password: 
Retype new password: 
-sh-4.2$ id -Z
user_u:user_r:user_t:s0
-sh-4.2$ ipa user-find
IPA client is not configured on this system


The ipa * commands check if the machine is a client by ensuring that /etc/ipa/default.conf exists and /var/lib/ipa-client/sysrestore directory exists.
user_u doesn't have access to /var/lib/ipa-client/sysrestore directory:
As user1:
-sh-4.2$ ls -l /var/lib/ipa-client/sysrestore
ls: cannot access /var/lib/ipa-client/sysrestore: Permission denied
Comment 11 François Cami 2019-02-12 11:25:51 UTC 
Hi,

This is an expected behavior of the current SELinux policy.
To see the AVCs you will have to disable the dontaudit rules first "semodule -DB" and then reproduce the issue. To re-enable dontaudit use "semodule -B".

To workaround the issue you can try the following:

Create a myusers.te file containing:

###################
module myusers 1.0;

require {
	type realmd_var_lib_t;
	type user_t;
	class dir { getattr open read search };
}

#============= user_t ==============
allow user_t realmd_var_lib_t:dir { getattr open read search };
###################

Compile it:
###################
# checkmodule -M -m -o myusers.mod myusers.te 
checkmodule:  loading policy configuration from myusers.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 19) to myusers.mod
# semodule_package -o myusers.pp -m myusers.mod
###################

Load the module:
###################
# semodule -i myusers.pp
###################

and then it should work.

Additional notes: the only directory labeled realmd_var_lib_t is /var/lib/ipa-client:
###################
/var/lib/ipa-client(/.*)?                          all files          system_u:object_r:realmd_var_lib_t:s0 
###################

If you are using CentOS (ipa-client.x86_64 4.6.4-10.el7.centos) please use the users mailing list at https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/
Comment 12 Renaud Métrich 2019-02-12 11:51:45 UTC 
In order to compile the module, you should issue the following command instead, assuming "myusers.te" file exists:

# make -f /usr/share/selinux/devel/Makefile myusers.pp

Renaud.
Comment 24 errata-xmlrpc 2019-08-06 12:52:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2127
Note You need to log in before you can comment on or make changes to this bug.