Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 870053 - Default SELinuxusermaporder needs to mapped with default selinux users list
Default SELinuxusermaporder needs to mapped with default selinux users list
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.4
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Rob Crittenden
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-25 09:39 EDT by Kaleem
Modified: 2013-02-21 04:29 EST (History)
2 users (show)

See Also:
Fixed In Version: ipa-3.0.0-8.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 04:29:21 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0528 normal SHIPPED_LIVE Low: ipa security, bug fix and enhancement update 2013-02-21 03:22:21 EST

  None (edit)
Comment 2 Dmitri Pal 2012-10-29 19:27:21 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3224
Comment 3 Rob Crittenden 2012-11-02 10:19:32 EDT
Fixed upstream. Only user_u was changed.

master: 7c2eb48850de6eae7cce521053586a5d48c3d12e

ipa-3-0: 56beef9f775a28973106d074b191c48ab99d179d
Comment 6 Kaleem 2013-01-30 09:45:29 EST
Verified.

ipa-server version:
==================
[root@rhel64master ~]# rpm -qa|grep ipa-*
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-python-3.0.0-24.el6.x86_64
ipa-server-selinux-3.0.0-24.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.9.2-82.el6.x86_64
ipa-client-3.0.0-24.el6.x86_64
ipa-server-3.0.0-24.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-1.9.2-82.el6.x86_64
ipa-admintools-3.0.0-24.el6.x86_64
[root@rhel64master ~]#

(1)Default config shows user_u:s0 now.

[root@rhel64master ~]# ipa config-show
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC

[root@rhel64master ~]# ipa selinuxusermap-show selinuxusermap1 --all
  dn: ipaUniqueID=b86c526e-6ae9-11e2-86a0-5254005d451f,cn=usermap,cn=selinux,dc=testrelm,dc=com
  Rule name: selinuxusermap1
  SELinux User: user_u:s0
  HBAC Rule: rule1
  Enabled: TRUE
  ipauniqueid: b86c526e-6ae9-11e2-86a0-5254005d451f
  objectclass: ipaassociation, ipaselinuxusermap
[root@rhel64master ~]# ssh -l user1 rhel64master.testrelm.com id -Z
user_u:user_r:user_t:s0
[root@rhel64master ~]#

Beaker log:
==========
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-selinuxusermapsvc-004-2: user1 associated with different selinuxusermap to access kvm-guest-05.testrelm.com - delete selinuxusermap2 from the prev test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

spawn /usr/bin/kinit -V admin
Using default cache: /tmp/krb5cc_0
Using principal: admin@TESTRELM.COM
Password for admin@TESTRELM.COM: 
Authenticated to Kerberos v5
Default principal: admin@TESTRELM.COM
:: [01:41:33] ::  kinit as admin with password XXXXXXX was successful.
:: [   PASS   ] :: Kinit as admin user
----------------------------------------------
Deleted SELinux User Map "selinuxusermaprule2"
----------------------------------------------
:: [   PASS   ] :: Running 'ipa selinuxusermap-del selinuxusermaprule2'
:: [   PASS   ] :: Running 'rlDistroDiff keyctl'
spawn /usr/bin/kinit -V user1
Using default cache: /tmp/krb5cc_0
Using principal: user1@TESTRELM.COM
Password for user1@TESTRELM.COM: 
Authenticated to Kerberos v5
Default principal: user1@TESTRELM.COM
:: [01:41:36] ::  kinit as user1 with password xxxxxxxxx was successful.
:: [   PASS   ] :: Kinit as user1
user_u:user_r:user_t:s0
:: [   PASS   ] :: Authentication successful for user1, with selinuxuser user_u:.*s0 as expected
:: [   PASS   ] :: Authentication of user1 to kvm-guest-05.testrelm.com has selinux policy user_u:s0
:: [   PASS   ] :: Authentication failed for user1, with selinuxuser staff_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Authentication of user1 to kvm-guest-05.testrelm.com does not have selinux policy staff_u:s0-s0:c0.c1023 
:: [   PASS   ] :: Authentication failed for user1, with selinuxuser staff_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Authentication of user1 to hp-bl460c-02.testrelm.com does not have selinux policy staff_u:s0-s0:c0.c1023
user_u:user_r:user_t:s0
:: [   PASS   ] :: Authentication successful for user1, with selinuxuser user_u:.*s0 as expected
:: [   PASS   ] :: Authentication of user1 to hp-bl460c-02.testrelm.com does not have selinux policy user_u:s0
:: [   PASS   ] :: Authentication failed for user1, with selinuxuser staff_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Authentication of user1 to hp-bl495cg5-02.testrelm.com does not have selinux policy staff_u:s0-s0:c0.c1023
user_u:user_r:user_t:s0
:: [   PASS   ] :: Authentication successful for user1, with selinuxuser user_u:.*s0 as expected
:: [   PASS   ] :: Authentication of user1 to hp-bl495cg5-02.testrelm.com has selinux policy user_u:s0
:: [   PASS   ] :: Running 'rlDistroDiff keyctl'
Comment 8 errata-xmlrpc 2013-02-21 04:29:21 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html

Note You need to log in before you can comment on or make changes to this bug.