Description of problem: Unable to set SELinux user for the user´s login. Version-Release number of selected component (if applicable): sssd-1.2.1-34.el5 How reproducible: Always Steps to Reproduce: 1. Configure SSSD for local domain. 2. sss_useradd -Z user_u luser1 3. Actual results: # sss_useradd -Z user_u luser1 Cannot set SELinux login context Expected results: User should be added successfully. This works fine in RHEL6. Additional info: Relevant sssd.conf section: [domain/LOCAL] id_provider = local auth_provider = local min_id = 2000 enumerate = true # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted # cat /etc/selinux/targeted/seusers # This file is auto-generated by libsemanage # Please use the semanage command to make changes root:root:s0-s0:c0.c1023 __default__:user_u:s0 yyy:user_u:s0 # rpm -qf /usr/lib/libselinux.so libselinux-1.33.4-5.6.el5
The problem is in the SSSD. ret = semanage_commit(handle); if (ret != 0) { DEBUG(1, ("Cannot commit SELinux transaction\n")); ret = EIO; goto done; } From semanage/handle.h: /* Attempt to commit all changes since this transaction began. If the * commit is successful then increment the "policy sequence number" * and then release the transaction lock. Return that policy number * afterwards, or -1 on error. */ int semanage_commit(semanage_handle_t *); Whereas most semanage functions return zero on success, this particular command is expected to return a positive integer on success.
Upstream bug: https://fedorahosted.org/sssd/ticket/667
# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted # sss_useradd -Z user_u luser1 # passwd luser1 Changing password for user luser1. New UNIX password: BAD PASSWORD: it is WAY too short Retype new UNIX password: passwd: all authentication tokens updated successfully. # ssh -l luser1 localhost luser1@localhost's password: Last login: Mon Nov 8 14:45:15 2010 from localhost.localdomain $ # ls -ldZ /home/luser1 drwx------ luser1 luser1 user_u:object_r:user_home_dir_t /home/luser1 Verified in sssd-1.2.1-37.el5.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2011-0044.html