Bug 874579 - sssd caching not working as expected for selinux usermap contexts
Summary: sssd caching not working as expected for selinux usermap contexts
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.4
Hardware: Unspecified
OS: Linux
medium
high
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 895654
TreeView+ depends on / blocked
 
Reported: 2012-11-08 13:29 UTC by Kaleem
Modified: 2020-05-02 17:04 UTC (History)
5 users (show)

Fixed In Version: sssd-1.9.2-67.el6
Doc Type: Bug Fix
Doc Text:
Cause: SELinux usermap contexts were not ordered correctly if the SELinux mappings were using HBAC rules as a definition of what users to apply the mapping to AND if the IPA server was not reachable at the same time. Consequence: Invalid SELinux context might be assign to a user. Fix: SELinux usermap contexts are ordered correctly even when the client cannot reach the IPA server. Result: Correct SELinux context is assigned to a user.
Clone Of:
Environment:
Last Closed: 2013-02-21 09:39:47 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 2668 0 None None None 2020-05-02 17:04:56 UTC
Red Hat Product Errata RHSA-2013:0508 0 normal SHIPPED_LIVE Low: sssd security, bug fix and enhancement update 2013-02-20 21:30:10 UTC

Description Kaleem 2012-11-08 13:29:51 UTC
Description of problem:
if two user's selinux context is stored in sssd cache and last user's context is default selinux context, then default selinux context is applied for first user as well if IPA server not reachable.

Version-Release number of selected component (if applicable):

[root@rhel64client1 ipa-selinuxusermap-func]# rpm -qa|grep sssd
sssd-1.9.2-4.el6.x86_64
sssd-client-1.9.2-4.el6.x86_64
[root@rhel64client1 ipa-selinuxusermap-func]#

[root@rhel64master beaker]# rpm -qa|grep ipa-server
ipa-server-selinux-3.0.0-7.el6.x86_64
ipa-server-3.0.0-7.el6.x86_64
[root@rhel64master beaker]#

How reproducible:
Always

Steps to Reproduce:
(1)if two user's selinux context is stored in sssd cache and last user's context is default selinux context, then default selinux context is applied for first user as well if IPA server not reachable.

[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1 rhel64client1.testrelm.com id -Z
user1@rhel64client1.testrelm.com's password: 
staff_u:staff_r:staff_t:s0-s0:c0.c1023
[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user2 rhel64client1.testrelm.com id -Z
user2@rhel64client1.testrelm.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@rhel64client1 ipa-selinuxusermap-func]#
[root@rhel64client1 ipa-selinuxusermap-func]# date
Mon Nov  5 07:40:39 EST 2012
[root@rhel64client1 ipa-selinuxusermap-func]#

Stopping IPA Server, so that sssd cache can be used.

[root@rhel64master beaker]# service ipa stop;date
Stopping CA Service
Stopping pki-ca:                                           [  OK  ]
Stopping HTTP Service
Stopping httpd:                                            [  OK  ]
Stopping MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Stopping DNS Service
Stopping named: .                                          [  OK  ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Stopping KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Directory Service
Shutting down dirsrv: 
    PKI-IPA...                                             [  OK  ]
    TESTRELM-COM...                                        [  OK  ]
Mon Nov  5 07:41:31 EST 2012
[root@rhel64master beaker]#

[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1 rhel64client1.testrelm.com id -Z;date
user1@rhel64client1.testrelm.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Mon Nov  5 07:42:15 EST 2012
[root@rhel64client1 ipa-selinuxusermap-func]#

Here selinux context should be staff_u:staff_r:staff_t:s0-s0:c0.c1023

(2)SSSD cache works fine in case of single user.

[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1 rhel64client1.testrelm.com id -Z;date
user1@rhel64client1.testrelm.com's password: 
staff_u:staff_r:staff_t:s0-s0:c0.c1023
Mon Nov  5 07:54:50 EST 2012
[root@rhel64client1 ipa-selinuxusermap-func]#

[root@rhel64master beaker]# service ipa stop;date
Stopping CA Service
Stopping pki-ca:                                           [  OK  ]
Stopping HTTP Service
Stopping httpd:                                            [  OK  ]
Stopping MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Stopping DNS Service
Stopping named: .                                          [  OK  ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Stopping KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Directory Service
Shutting down dirsrv: 
    PKI-IPA...                                             [  OK  ]
    TESTRELM-COM...                                        [  OK  ]
Mon Nov  5 07:55:37 EST 2012
[root@rhel64master beaker]#

[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1 rhel64client1.testrelm.com id -Z;date
user1@rhel64client1.testrelm.com's password: 
staff_u:staff_r:staff_t:s0-s0:c0.c1023
Mon Nov  5 07:56:02 EST 2012
[root@rhel64client1 ipa-selinuxusermap-func]#

Comment 2 Dmitri Pal 2012-11-08 14:24:08 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1626

Comment 4 Kaleem 2013-01-31 11:18:16 UTC
Verified.

sssd version:
=============
[root@rhel64master ipa-services]# rpm -q sssd ipa-server
sssd-1.9.2-82.el6.x86_64
ipa-server-3.0.0-24.el6.x86_64
[root@rhel64master ipa-services]#

Beaker log:
===========
:: [   LOG    ] :: ipa-selinuxusermapsvc-client1-010: user1 accessing ibm-hs21-12.testrelm.com from ibm-hs21-12.testrelm.com using SSHD service.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

spawn /usr/bin/kinit -V admin
Using default cache: /tmp/krb5cc_0
Using principal: admin@TESTRELM.COM
Password for admin@TESTRELM.COM: 
Authenticated to Kerberos v5
Default principal: admin@TESTRELM.COM
:: [08:39:12] ::  kinit as admin with password xxxxxxxx was successful.
:: [   PASS   ] :: Kinit as admin user
user1:*:258600014:258600014:user1 user1:/home/user1:/bin/sh
:: [   PASS   ] :: Running 'getent -s sss passwd user1'
:: [   PASS   ] :: Authentication successful for user1
spawn ssh -l user1 ibm-hs21-12.testrelm.com id -Z
user1@ibm-hs21-12.testrelm.com's password: 
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser staff_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user1 testpw123@ipa.com ibm-hs21-12.testrelm.com staff_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Authentication successful for user1
spawn ssh -l user1 dell-pe1950-1.testrelm.com id -Z
user1@dell-pe1950-1.testrelm.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user1 testpw123@ipa.com dell-pe1950-1.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Authentication successful for user1
spawn ssh -l user1 hp-dl140g2-01.testrelm.com id -Z
user1@hp-dl140g2-01.testrelm.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user1 testpw123@ipa.com hp-dl140g2-01.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
user2:*:258600015:258600015:user2 user2:/home/user2:/bin/sh
:: [   PASS   ] :: Running 'getent -s sss passwd user2'
:: [   PASS   ] :: Authentication successful for user2
spawn ssh -l user2 ibm-hs21-12.testrelm.com id -Z
user2@ibm-hs21-12.testrelm.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user2 testpw123@ipa.com ibm-hs21-12.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Authentication successful for user2
spawn ssh -l user2 dell-pe1950-1.testrelm.com id -Z
user2@dell-pe1950-1.testrelm.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user2 testpw123@ipa.com dell-pe1950-1.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Authentication successful for user2
spawn ssh -l user2 hp-dl140g2-01.testrelm.com id -Z
user2@hp-dl140g2-01.testrelm.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user2 testpw123@ipa.com hp-dl140g2-01.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Stoping IPA service on hp-dl140g2-01.testrelm.com
:: [   PASS   ] :: Running 'chmod +x /local.sh'
Stopping pki-ca: [  OK  ]
Stopping httpd: [  OK  ]
Stopping ipa_memcached: [  OK  ]
Stopping named: .[  OK  ]
Stopping Kerberos 5 Admin Server: [  OK  ]
Stopping Kerberos 5 KDC: [  OK  ]
Shutting down dirsrv: 
    PKI-IPA...[  OK  ]
    TESTRELM-COM...[  OK  ]
Stopping CA Service
Stopping HTTP Service
Stopping MEMCACHE Service
Stopping DNS Service
Stopping KPASSWD Service
Stopping KDC Service
Stopping Directory Service
:: [   PASS   ] :: Stop IPA service on MASTER
user1:*:258600014:258600014:user1 user1:/home/user1:/bin/sh
:: [   PASS   ] :: Running 'getent -s sss passwd user1'
:: [   PASS   ] :: Authentication successful for user1
spawn ssh -l user1 ibm-hs21-12.testrelm.com id -Z
user1@ibm-hs21-12.testrelm.com's password: 
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser staff_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user1 testpw123@ipa.com ibm-hs21-12.testrelm.com staff_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Authentication successful for user1
spawn ssh -l user1 dell-pe1950-1.testrelm.com id -Z
user1@dell-pe1950-1.testrelm.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user1 testpw123@ipa.com dell-pe1950-1.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Authentication successful for user1
spawn ssh -l user1 hp-dl140g2-01.testrelm.com id -Z
user1@hp-dl140g2-01.testrelm.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user1 testpw123@ipa.com hp-dl140g2-01.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
user2:*:258600015:258600015:user2 user2:/home/user2:/bin/sh
:: [   PASS   ] :: Running 'getent -s sss passwd user2'
:: [   PASS   ] :: Authentication successful for user2
spawn ssh -l user2 ibm-hs21-12.testrelm.com id -Z
user2@ibm-hs21-12.testrelm.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user2 testpw123@ipa.com ibm-hs21-12.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Authentication successful for user2
spawn ssh -l user2 dell-pe1950-1.testrelm.com id -Z
user2@dell-pe1950-1.testrelm.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user2 testpw123@ipa.com dell-pe1950-1.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Authentication successful for user2
spawn ssh -l user2 hp-dl140g2-01.testrelm.com id -Z
user2@hp-dl140g2-01.testrelm.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user2 testpw123@ipa.com hp-dl140g2-01.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Starting IPA service on hp-dl140g2-01.testrelm.com
:: [   PASS   ] :: Running 'chmod +x /local.sh'
Starting dirsrv: 
    PKI-IPA...[  OK  ]
    TESTRELM-COM...[  OK  ]
Starting Kerberos 5 KDC: [  OK  ]
Starting Kerberos 5 Admin Server: [  OK  ]
Starting named: [  OK  ]
Starting ipa_memcached: [  OK  ]
Starting httpd: [  OK  ]
Starting pki-ca: [  OK  ]
Starting Directory Service
Starting KDC Service
Starting KPASSWD Service
Starting DNS Service
Starting MEMCACHE Service
Starting HTTP Service
Starting CA Service
:: [   PASS   ] :: Start IPA service on MASTER
:: [   PASS   ] :: Running 'rm -rf '
'5165b832-6474-4239-b48a-692660dafd71'
ipa-selinuxusermapsvc-client1-010 result: PASS
   metric: 0
   Log: /tmp/beakerlib-10425963/journal.txt
    Info: Searching AVC errors produced since 1359553052.57 (Wed Jan 30 08:37:32 2013)
     Searching logs...
     Info: No AVC messages found.
 Writing to /mnt/testarea/tmp.sYjE4V
:
   AvcLog: /mnt/testarea/tmp.sYjE4V
:: [   PASS   ] :: Running 'rhts-sync-set -s DONE_selinuxusermapsvc_client_010 -m ibm-hs21-12.rhts.eng.rdu.redhat.com'

Comment 5 errata-xmlrpc 2013-02-21 09:39:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html


Note You need to log in before you can comment on or make changes to this bug.