Bug 867932 - Selinuxusermap rule is not honoured
Selinuxusermap rule is not honoured
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.4
Unspecified Linux
high Severity high
: rc
: ---
Assigned To: Jakub Hrozek
Kaushik Banerjee
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-18 11:21 EDT by Kaleem
Modified: 2013-02-21 04:37 EST (History)
3 users (show)

See Also:
Fixed In Version: sssd-1.9.2-4.el6
Doc Type: Bug Fix
Doc Text:
No Documentation Needed
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 04:37:44 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 2 Jakub Hrozek 2012-10-18 11:36:40 EDT
This is a build-time issue in RHEL only. We need to make sure that we build against the correct selinux-policy version to make sure #855889 is fixed in the buildroot.
Comment 4 Kaleem 2012-10-26 01:11:53 EDT
Verified.
Selinuxusermap rule is working as expected.

RHEL Version:
=============
[root@rhel64master ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.4 Beta (Santiago)
[root@rhel64master ~]#

IPA and SSSD version:
=====================
[root@rhel64master ~]# rpm -qa|grep ipa|sort
ipa-admintools-3.0.0-5.el6.x86_64
ipa-client-3.0.0-5.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-python-3.0.0-5.el6.x86_64
ipa-server-3.0.0-5.el6.x86_64
ipa-server-selinux-3.0.0-5.el6.x86_64
libipa_hbac-1.9.2-4.el6.x86_64
libipa_hbac-python-1.9.2-4.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
[root@rhel64master ~]# rpm -qa|grep sssd
sssd-1.9.2-4.el6.x86_64
sssd-client-1.9.2-4.el6.x86_64
[root@rhel64master ~]#

Steps used to verify:
====================
(1)Added a selinuxusermap rule for staff_u

  [root@rhel64master ~]# ipa selinuxusermap-show selinuxusermaprule1 --all
  dn: ipaUniqueID=77b0cdfa-1f2a-11e2-a886-5254005d451f,cn=usermap,cn=selinux,dc=testrelm,dc=com
  Rule name: selinuxusermaprule1
  SELinux User: staff_u:s0-s0:c0.c1023
  Enabled: TRUE
  Users: user1
  Hosts: rhel64client1.testrelm.com
  ipauniqueid: 77b0cdfa-1f2a-11e2-a886-5254005d451f
  objectclass: ipaassociation, ipaselinuxusermap
[root@rhel64master ~]#

(2)Try to get context assigned to user in selinuxusermap rule

[root@rhel64master ~]# kinit user1
Password for user1@TESTRELM.COM: 
[root@rhel64master ~]# ssh -l user1 rhel64client1.testrelm.com id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023
[root@rhel64master ~]#
Comment 5 errata-xmlrpc 2013-02-21 04:37:44 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html

Note You need to log in before you can comment on or make changes to this bug.