874579 – sssd caching not working as expected for selinux usermap contexts

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 874579 - sssd caching not working as expected for selinux usermap contexts

Summary: sssd caching not working as expected for selinux usermap contexts

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	895654
TreeView+	depends on / blocked

Reported:	2012-11-08 13:29 UTC by Kaleem
Modified:	2020-05-02 17:04 UTC (History)
CC List:	5 users (show)
Fixed In Version:	sssd-1.9.2-67.el6
Doc Type:	Bug Fix
Doc Text:	Cause: SELinux usermap contexts were not ordered correctly if the SELinux mappings were using HBAC rules as a definition of what users to apply the mapping to AND if the IPA server was not reachable at the same time. Consequence: Invalid SELinux context might be assign to a user. Fix: SELinux usermap contexts are ordered correctly even when the client cannot reach the IPA server. Result: Correct SELinux context is assigned to a user.
Clone Of:
Environment:
Last Closed:	2013-02-21 09:39:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2668	0	None	None	None	2020-05-02 17:04:56 UTC
Red Hat Product Errata	RHSA-2013:0508	0	normal	SHIPPED_LIVE	Low: sssd security, bug fix and enhancement update	2013-02-20 21:30:10 UTC

Description Kaleem 2012-11-08 13:29:51 UTC

Description of problem:
if two user's selinux context is stored in sssd cache and last user's context is default selinux context, then default selinux context is applied for first user as well if IPA server not reachable.

Version-Release number of selected component (if applicable):

[root@rhel64client1 ipa-selinuxusermap-func]# rpm -qa|grep sssd
sssd-1.9.2-4.el6.x86_64
sssd-client-1.9.2-4.el6.x86_64
[root@rhel64client1 ipa-selinuxusermap-func]#

[root@rhel64master beaker]# rpm -qa|grep ipa-server
ipa-server-selinux-3.0.0-7.el6.x86_64
ipa-server-3.0.0-7.el6.x86_64
[root@rhel64master beaker]#

How reproducible:
Always

Steps to Reproduce:
(1)if two user's selinux context is stored in sssd cache and last user's context is default selinux context, then default selinux context is applied for first user as well if IPA server not reachable.

[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1 rhel64client1.testrelm.com id -Z
user1.com's password: 
staff_u:staff_r:staff_t:s0-s0:c0.c1023
[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user2 rhel64client1.testrelm.com id -Z
user2.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@rhel64client1 ipa-selinuxusermap-func]#
[root@rhel64client1 ipa-selinuxusermap-func]# date
Mon Nov  5 07:40:39 EST 2012
[root@rhel64client1 ipa-selinuxusermap-func]#

Stopping IPA Server, so that sssd cache can be used.

[root@rhel64master beaker]# service ipa stop;date
Stopping CA Service
Stopping pki-ca:                                           [  OK  ]
Stopping HTTP Service
Stopping httpd:                                            [  OK  ]
Stopping MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Stopping DNS Service
Stopping named: .                                          [  OK  ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Stopping KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Directory Service
Shutting down dirsrv: 
    PKI-IPA...                                             [  OK  ]
    TESTRELM-COM...                                        [  OK  ]
Mon Nov  5 07:41:31 EST 2012
[root@rhel64master beaker]#

[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1 rhel64client1.testrelm.com id -Z;date
user1.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Mon Nov  5 07:42:15 EST 2012
[root@rhel64client1 ipa-selinuxusermap-func]#

Here selinux context should be staff_u:staff_r:staff_t:s0-s0:c0.c1023

(2)SSSD cache works fine in case of single user.

[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1 rhel64client1.testrelm.com id -Z;date
user1.com's password: 
staff_u:staff_r:staff_t:s0-s0:c0.c1023
Mon Nov  5 07:54:50 EST 2012
[root@rhel64client1 ipa-selinuxusermap-func]#

[root@rhel64master beaker]# service ipa stop;date
Stopping CA Service
Stopping pki-ca:                                           [  OK  ]
Stopping HTTP Service
Stopping httpd:                                            [  OK  ]
Stopping MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Stopping DNS Service
Stopping named: .                                          [  OK  ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Stopping KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Directory Service
Shutting down dirsrv: 
    PKI-IPA...                                             [  OK  ]
    TESTRELM-COM...                                        [  OK  ]
Mon Nov  5 07:55:37 EST 2012
[root@rhel64master beaker]#

[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1 rhel64client1.testrelm.com id -Z;date
user1.com's password: 
staff_u:staff_r:staff_t:s0-s0:c0.c1023
Mon Nov  5 07:56:02 EST 2012
[root@rhel64client1 ipa-selinuxusermap-func]#

Comment 2 Dmitri Pal 2012-11-08 14:24:08 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1626

Comment 4 Kaleem 2013-01-31 11:18:16 UTC

Verified.

sssd version:
=============
[root@rhel64master ipa-services]# rpm -q sssd ipa-server
sssd-1.9.2-82.el6.x86_64
ipa-server-3.0.0-24.el6.x86_64
[root@rhel64master ipa-services]#

Beaker log:
===========
:: [   LOG    ] :: ipa-selinuxusermapsvc-client1-010: user1 accessing ibm-hs21-12.testrelm.com from ibm-hs21-12.testrelm.com using SSHD service.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

spawn /usr/bin/kinit -V admin
Using default cache: /tmp/krb5cc_0
Using principal: admin
Password for admin: 
Authenticated to Kerberos v5
Default principal: admin
:: [08:39:12] ::  kinit as admin with password xxxxxxxx was successful.
:: [   PASS   ] :: Kinit as admin user
user1:*:258600014:258600014:user1 user1:/home/user1:/bin/sh
:: [   PASS   ] :: Running 'getent -s sss passwd user1'
:: [   PASS   ] :: Authentication successful for user1
spawn ssh -l user1 ibm-hs21-12.testrelm.com id -Z
user1.com's password: 
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser staff_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user1 testpw123 ibm-hs21-12.testrelm.com staff_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Authentication successful for user1
spawn ssh -l user1 dell-pe1950-1.testrelm.com id -Z
user1.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user1 testpw123 dell-pe1950-1.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Authentication successful for user1
spawn ssh -l user1 hp-dl140g2-01.testrelm.com id -Z
user1.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user1 testpw123 hp-dl140g2-01.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
user2:*:258600015:258600015:user2 user2:/home/user2:/bin/sh
:: [   PASS   ] :: Running 'getent -s sss passwd user2'
:: [   PASS   ] :: Authentication successful for user2
spawn ssh -l user2 ibm-hs21-12.testrelm.com id -Z
user2.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user2 testpw123 ibm-hs21-12.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Authentication successful for user2
spawn ssh -l user2 dell-pe1950-1.testrelm.com id -Z
user2.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user2 testpw123 dell-pe1950-1.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Authentication successful for user2
spawn ssh -l user2 hp-dl140g2-01.testrelm.com id -Z
user2.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user2 testpw123 hp-dl140g2-01.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Stoping IPA service on hp-dl140g2-01.testrelm.com
:: [   PASS   ] :: Running 'chmod +x /local.sh'
Stopping pki-ca: [  OK  ]
Stopping httpd: [  OK  ]
Stopping ipa_memcached: [  OK  ]
Stopping named: .[  OK  ]
Stopping Kerberos 5 Admin Server: [  OK  ]
Stopping Kerberos 5 KDC: [  OK  ]
Shutting down dirsrv: 
    PKI-IPA...[  OK  ]
    TESTRELM-COM...[  OK  ]
Stopping CA Service
Stopping HTTP Service
Stopping MEMCACHE Service
Stopping DNS Service
Stopping KPASSWD Service
Stopping KDC Service
Stopping Directory Service
:: [   PASS   ] :: Stop IPA service on MASTER
user1:*:258600014:258600014:user1 user1:/home/user1:/bin/sh
:: [   PASS   ] :: Running 'getent -s sss passwd user1'
:: [   PASS   ] :: Authentication successful for user1
spawn ssh -l user1 ibm-hs21-12.testrelm.com id -Z
user1.com's password: 
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
staff_u:staff_r:staff_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser staff_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user1 testpw123 ibm-hs21-12.testrelm.com staff_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Authentication successful for user1
spawn ssh -l user1 dell-pe1950-1.testrelm.com id -Z
user1.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user1 testpw123 dell-pe1950-1.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Authentication successful for user1
spawn ssh -l user1 hp-dl140g2-01.testrelm.com id -Z
user1.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user1 testpw123 hp-dl140g2-01.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
user2:*:258600015:258600015:user2 user2:/home/user2:/bin/sh
:: [   PASS   ] :: Running 'getent -s sss passwd user2'
:: [   PASS   ] :: Authentication successful for user2
spawn ssh -l user2 ibm-hs21-12.testrelm.com id -Z
user2.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user2 testpw123 ibm-hs21-12.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Authentication successful for user2
spawn ssh -l user2 dell-pe1950-1.testrelm.com id -Z
user2.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user2 testpw123 dell-pe1950-1.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Authentication successful for user2
spawn ssh -l user2 hp-dl140g2-01.testrelm.com id -Z
user2.com's password: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Running 'cat /tmp/tmpfile.out'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [   PASS   ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [   PASS   ] :: Running 'verify_ssh_auth_success_selinuxuser user2 testpw123 hp-dl140g2-01.testrelm.com unconfined_u:.*s0-s0:c0.c1023'
:: [   PASS   ] :: Starting IPA service on hp-dl140g2-01.testrelm.com
:: [   PASS   ] :: Running 'chmod +x /local.sh'
Starting dirsrv: 
    PKI-IPA...[  OK  ]
    TESTRELM-COM...[  OK  ]
Starting Kerberos 5 KDC: [  OK  ]
Starting Kerberos 5 Admin Server: [  OK  ]
Starting named: [  OK  ]
Starting ipa_memcached: [  OK  ]
Starting httpd: [  OK  ]
Starting pki-ca: [  OK  ]
Starting Directory Service
Starting KDC Service
Starting KPASSWD Service
Starting DNS Service
Starting MEMCACHE Service
Starting HTTP Service
Starting CA Service
:: [   PASS   ] :: Start IPA service on MASTER
:: [   PASS   ] :: Running 'rm -rf '
'5165b832-6474-4239-b48a-692660dafd71'
ipa-selinuxusermapsvc-client1-010 result: PASS
   metric: 0
   Log: /tmp/beakerlib-10425963/journal.txt
    Info: Searching AVC errors produced since 1359553052.57 (Wed Jan 30 08:37:32 2013)
     Searching logs...
     Info: No AVC messages found.
 Writing to /mnt/testarea/tmp.sYjE4V
:
   AvcLog: /mnt/testarea/tmp.sYjE4V
:: [   PASS   ] :: Running 'rhts-sync-set -s DONE_selinuxusermapsvc_client_010 -m ibm-hs21-12.rhts.eng.rdu.redhat.com'

Comment 5 errata-xmlrpc 2013-02-21 09:39:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html

Note You need to log in before you can comment on or make changes to this bug.