Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 874579 - sssd caching not working as expected for selinux usermap contexts
sssd caching not working as expected for selinux usermap contexts
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.4
Unspecified Linux
medium Severity high
: rc
: ---
Assigned To: Jakub Hrozek
Kaushik Banerjee
:
Depends On:
Blocks: 895654
  Show dependency treegraph
 
Reported: 2012-11-08 08:29 EST by Kaleem
Modified: 2013-02-21 04:39 EST (History)
5 users (show)

See Also:
Fixed In Version: sssd-1.9.2-67.el6
Doc Type: Bug Fix
Doc Text:
Cause: SELinux usermap contexts were not ordered correctly if the SELinux mappings were using HBAC rules as a definition of what users to apply the mapping to AND if the IPA server was not reachable at the same time. Consequence: Invalid SELinux context might be assign to a user. Fix: SELinux usermap contexts are ordered correctly even when the client cannot reach the IPA server. Result: Correct SELinux context is assigned to a user.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 04:39:47 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0508 normal SHIPPED_LIVE Low: sssd security, bug fix and enhancement update 2013-02-20 16:30:10 EST

  None (edit)
Description Kaleem 2012-11-08 08:29:51 EST 
Description of problem:
if two user's selinux context is stored in sssd cache and last user's context is default selinux context, then default selinux context is applied for first user as well if IPA server not reachable.

Version-Release number of selected component (if applicable):

[root@rhel64client1 ipa-selinuxusermap-func]# rpm -qa|grep sssd
sssd-1.9.2-4.el6.x86_64
sssd-client-1.9.2-4.el6.x86_64
[root@rhel64client1 ipa-selinuxusermap-func]#

[root@rhel64master beaker]# rpm -qa|grep ipa-server
ipa-server-selinux-3.0.0-7.el6.x86_64
ipa-server-3.0.0-7.el6.x86_64
[root@rhel64master beaker]#

How reproducible:
Always

Steps to Reproduce:
(1)if two user's selinux context is stored in sssd cache and last user's context is default selinux context, then default selinux context is applied for first user as well if IPA server not reachable.

[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1 rhel64client1.testrelm.com id -Z
user1@rhel64client1.testrelm.com's password: 
staff_u:staff_r:staff_t:s0-s0:c0.c1023
[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user2 rhel64client1.testrelm.com id -Z
user2@rhel64client1.testrelm.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@rhel64client1 ipa-selinuxusermap-func]#
[root@rhel64client1 ipa-selinuxusermap-func]# date
Mon Nov  5 07:40:39 EST 2012
[root@rhel64client1 ipa-selinuxusermap-func]#

Stopping IPA Server, so that sssd cache can be used.

[root@rhel64master beaker]# service ipa stop;date
Stopping CA Service
Stopping pki-ca:                                           [  OK  ]
Stopping HTTP Service
Stopping httpd:                                            [  OK  ]
Stopping MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Stopping DNS Service
Stopping named: .                                          [  OK  ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Stopping KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Directory Service
Shutting down dirsrv: 
    PKI-IPA...                                             [  OK  ]
    TESTRELM-COM...                                        [  OK  ]
Mon Nov  5 07:41:31 EST 2012
[root@rhel64master beaker]#

[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1 rhel64client1.testrelm.com id -Z;date
user1@rhel64client1.testrelm.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Mon Nov  5 07:42:15 EST 2012
[root@rhel64client1 ipa-selinuxusermap-func]#

Here selinux context should be staff_u:staff_r:staff_t:s0-s0:c0.c1023

(2)SSSD cache works fine in case of single user.

[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1 rhel64client1.testrelm.com id -Z;date
user1@rhel64client1.testrelm.com's password: 
staff_u:staff_r:staff_t:s0-s0:c0.c1023
Mon Nov  5 07:54:50 EST 2012
[root@rhel64client1 ipa-selinuxusermap-func]#

[root@rhel64master beaker]# service ipa stop;date
Stopping CA Service
Stopping pki-ca:                                           [  OK  ]
Stopping HTTP Service
Stopping httpd:                                            [  OK  ]
Stopping MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Stopping DNS Service
Stopping named: .                                          [  OK  ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Stopping KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Directory Service
Shutting down dirsrv: 
    PKI-IPA...                                             [  OK  ]
    TESTRELM-COM...                                        [  OK  ]
Mon Nov  5 07:55:37 EST 2012
[root@rhel64master beaker]#

[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1 rhel64client1.testrelm.com id -Z;date
user1@rhel64client1.testrelm.com's password: 
staff_u:staff_r:staff_t:s0-s0:c0.c1023
Mon Nov  5 07:56:02 EST 2012
[root@rhel64client1 ipa-selinuxusermap-func]#
Comment 2 Dmitri Pal 2012-11-08 09:24:08 EST 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1626
Comment 4 Kaleem 2013-01-31 06:18:16 EST 
Verified.

sssd version:
=============
[root@rhel64master ipa-services]# rpm -q sssd ipa-server
sssd-1.9.2-82.el6.x86_64
ipa-server-3.0.0-24.el6.x86_64
[root@rhel64master ipa-services]#

Beaker log:
===========
:: [   LOG    ] :: ipa-selinuxusermapsvc-client1-010: user1 accessing ibm-hs21-12.testrelm.com from ibm-hs21-12.testrelm.com using SSHD service.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

spawn /usr/bin/kinit -V admin
Using default cache: /tmp/krb5cc_0
Using principal: admin@TESTRELM.COM
Password for admin@TESTRELM.COM: 
Authenticated to Kerberos v5
Default principal: admin@TESTRELM.COM
:: [08:39:12] ::  kinit as admin with password xxxxxxxx was successful.
:: [   PASS   ] :: Kinit as admin user
user1:*:258600014:258600014:user1 user1:/home/user1:/bin/sh
:: [   PASS   ] :: Running 'getent -s sss passwd user1'
:: [   PASS   ] :: Authentication successful for user1
spawn ssh -l user1 ibm-hs21-12.testrelm.com id -Z
user1@ibm-hs21-12.testrelm.com's password: 
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser staff_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user1 testpw123@ipa.com ibm-hs21-12.testrelm.com staff_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Authentication successful for user1
spawn ssh -l user1 dell-pe1950-1.testrelm.com id -Z
user1@dell-pe1950-1.testrelm.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user1 testpw123@ipa.com dell-pe1950-1.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Authentication successful for user1
spawn ssh -l user1 hp-dl140g2-01.testrelm.com id -Z
user1@hp-dl140g2-01.testrelm.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user1 testpw123@ipa.com hp-dl140g2-01.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
user2:*:258600015:258600015:user2 user2:/home/user2:/bin/sh
:: [   PASS   ] :: Running 'getent -s sss passwd user2'
:: [   PASS   ] :: Authentication successful for user2
spawn ssh -l user2 ibm-hs21-12.testrelm.com id -Z
user2@ibm-hs21-12.testrelm.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user2 testpw123@ipa.com ibm-hs21-12.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Authentication successful for user2
spawn ssh -l user2 dell-pe1950-1.testrelm.com id -Z
user2@dell-pe1950-1.testrelm.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user2 testpw123@ipa.com dell-pe1950-1.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Authentication successful for user2
spawn ssh -l user2 hp-dl140g2-01.testrelm.com id -Z
user2@hp-dl140g2-01.testrelm.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user2 testpw123@ipa.com hp-dl140g2-01.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Stoping IPA service on hp-dl140g2-01.testrelm.com
:: [   PASS   ] :: Running 'chmod +x /local.sh'
Stopping pki-ca: [  OK  ]
Stopping httpd: [  OK  ]
Stopping ipa_memcached: [  OK  ]
Stopping named: .[  OK  ]
Stopping Kerberos 5 Admin Server: [  OK  ]
Stopping Kerberos 5 KDC: [  OK  ]
Shutting down dirsrv: 
    PKI-IPA...[  OK  ]
    TESTRELM-COM...[  OK  ]
Stopping CA Service
Stopping HTTP Service
Stopping MEMCACHE Service
Stopping DNS Service
Stopping KPASSWD Service
Stopping KDC Service
Stopping Directory Service
:: [   PASS   ] :: Stop IPA service on MASTER
user1:*:258600014:258600014:user1 user1:/home/user1:/bin/sh
:: [   PASS   ] :: Running 'getent -s sss passwd user1'
:: [   PASS   ] :: Authentication successful for user1
spawn ssh -l user1 ibm-hs21-12.testrelm.com id -Z
user1@ibm-hs21-12.testrelm.com's password: 
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser staff_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user1 testpw123@ipa.com ibm-hs21-12.testrelm.com staff_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Authentication successful for user1
spawn ssh -l user1 dell-pe1950-1.testrelm.com id -Z
user1@dell-pe1950-1.testrelm.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user1 testpw123@ipa.com dell-pe1950-1.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Authentication successful for user1
spawn ssh -l user1 hp-dl140g2-01.testrelm.com id -Z
user1@hp-dl140g2-01.testrelm.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user1 testpw123@ipa.com hp-dl140g2-01.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
user2:*:258600015:258600015:user2 user2:/home/user2:/bin/sh
:: [   PASS   ] :: Running 'getent -s sss passwd user2'
:: [   PASS   ] :: Authentication successful for user2
spawn ssh -l user2 ibm-hs21-12.testrelm.com id -Z
user2@ibm-hs21-12.testrelm.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user2 testpw123@ipa.com ibm-hs21-12.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Authentication successful for user2
spawn ssh -l user2 dell-pe1950-1.testrelm.com id -Z
user2@dell-pe1950-1.testrelm.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user2 testpw123@ipa.com dell-pe1950-1.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Authentication successful for user2
spawn ssh -l user2 hp-dl140g2-01.testrelm.com id -Z
user2@hp-dl140g2-01.testrelm.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user2 testpw123@ipa.com hp-dl140g2-01.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Starting IPA service on hp-dl140g2-01.testrelm.com
:: [   PASS   ] :: Running 'chmod +x /local.sh'
Starting dirsrv: 
    PKI-IPA...[  OK  ]
    TESTRELM-COM...[  OK  ]
Starting Kerberos 5 KDC: [  OK  ]
Starting Kerberos 5 Admin Server: [  OK  ]
Starting named: [  OK  ]
Starting ipa_memcached: [  OK  ]
Starting httpd: [  OK  ]
Starting pki-ca: [  OK  ]
Starting Directory Service
Starting KDC Service
Starting KPASSWD Service
Starting DNS Service
Starting MEMCACHE Service
Starting HTTP Service
Starting CA Service
:: [   PASS   ] :: Start IPA service on MASTER
:: [   PASS   ] :: Running 'rm -rf '
'5165b832-6474-4239-b48a-692660dafd71'
ipa-selinuxusermapsvc-client1-010 result: PASS
   metric: 0
   Log: /tmp/beakerlib-10425963/journal.txt
    Info: Searching AVC errors produced since 1359553052.57 (Wed Jan 30 08:37:32 2013)
     Searching logs...
     Info: No AVC messages found.
 Writing to /mnt/testarea/tmp.sYjE4V
:
   AvcLog: /mnt/testarea/tmp.sYjE4V
:: [   PASS   ] :: Running 'rhts-sync-set -s DONE_selinuxusermapsvc_client_010 -m ibm-hs21-12.rhts.eng.rdu.redhat.com'
Comment 5 errata-xmlrpc 2013-02-21 04:39:47 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.