Bug 887193 - SSSD allows SELinux context for user to be set, however SELinux tools are not updated to reflect this.
SSSD allows SELinux context for user to be set, however SELinux tools are not...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.4
All Linux
unspecified Severity urgent
: rc
: ---
Assigned To: Rob Crittenden
Namita Soman
:
: 1016638 1027302 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-14 04:51 EST by Taunus
Modified: 2013-11-20 10:09 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Known Issue
Doc Text:
IdM server in Red Hat Enterprise Linux 6.3 introduced a technical preview of SELinux user mapping feature, which enabled a mapping of SELinux users to users managed by the IdM based on custom rules. However, the default configured SELinux user (guest_u:s0) used when no custom rule matches is too constraining. An IdM user authenticating to Red Hat Enterprise Linux 6.4 can be assigned the too constraining SELinux user in which case a login through graphical session would always fail. To work around this problem, change a too constraining default SELinux user in the IdM server from guest_u:s0 to a more relaxed value unconfined_u:s0-s0:c0.c1023: kinit admin ipa config-mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023 An unconfined SELinux user will be now assigned to the IdM user by default, which will allow the user to successfully authenticate through graphical interface.
Story Points: ---
Clone Of: 876363
Environment:
Last Closed: 2013-03-01 10:01:32 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Taunus 2012-12-14 04:51:44 EST
+++ This bug was initially created as a clone of Bug #876363 +++

We spent some good time this morning trying to chase down why my user in Fedora was a guest_u. It turns out this was a combination of IPA and SSSD working as they ought to. However, it was very unclear while trying to debug this that this was the case. 

Tools like:

selinuxdefcon
semanage login -l

Did not reflect the reality of the situation as they are all presumably based off of the config present in the filesystem. 

You can get a nice overview of what we went through here:
http://lists.fedoraproject.org/pipermail/selinux/2012-November/014925.html

Read the whole thread, you will see what we worked through.

-Erinn

--- Additional comment from Daniel Walsh on 2012-11-14 14:50:40 EST ---

Fixed in policycoreutils-2.1.13-33

--- Additional comment from Fedora Update System on 2012-11-14 14:51:08 EST ---

policycoreutils-2.1.13-33.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/policycoreutils-2.1.13-33.fc18

--- Additional comment from Fedora Update System on 2012-11-15 01:29:35 EST ---

Package policycoreutils-2.1.13-33.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing policycoreutils-2.1.13-33.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-18259/policycoreutils-2.1.13-33.fc18
then log in and leave karma (feedback).

--- Additional comment from Fedora Update System on 2012-11-16 21:25:45 EST ---

Package policycoreutils-2.1.13-34.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing policycoreutils-2.1.13-34.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-18259/policycoreutils-2.1.13-34.fc18
then log in and leave karma (feedback).

--- Additional comment from Fedora Update System on 2012-11-23 02:54:59 EST ---

policycoreutils-2.1.13-34.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 2 Taunus 2012-12-14 05:12:49 EST
Hi,

the same problem seems to exist with rhel 6.3 ipa server, rhel 6.4beta sssd client and selinux. User cannot login, gdm says "unable to open session" when trying. oddjob created homedir.

This is what I see in /var/log/secure:

Dec 14 12:03:10 hostname pam: gdm-password: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:1 ruser= rhost=  user=username
Dec 14 12:03:10 hostname pam: gdm-password: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=username
Dec 14 12:03:10 hostname pam: gdm-password: pam_selinux(gdm-password:session): Error!  Unable to set username key creation context guest_u:guest_r:oddjob_mkhomedir_t:s0.

sssd-1.9.2-24.el6.x86_64
Comment 3 Miroslav Grepl 2012-12-14 05:18:07 EST
(In reply to comment #2)
> Hi,
> 
> the same problem seems to exist with rhel 6.3 ipa server, rhel 6.4beta sssd
> client and selinux. User cannot login, gdm says "unable to open session"
> when trying. oddjob created homedir.
> 
> This is what I see in /var/log/secure:
> 
> Dec 14 12:03:10 hostname pam: gdm-password: pam_unix(gdm-password:auth):
> authentication failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= 
> user=username
> Dec 14 12:03:10 hostname pam: gdm-password: pam_sss(gdm-password:auth):
> authentication success; logname= uid=0 euid=0 tty=:1 ruser= rhost=
> user=username
> Dec 14 12:03:10 hostname pam: gdm-password:
> pam_selinux(gdm-password:session): Error!  Unable to set username key
> creation context guest_u:guest_r:oddjob_mkhomedir_t:s0.
> 
> sssd-1.9.2-24.el6.x86_64

Well, this should be fixed in IPA to change guest_u to another SELinux user. AFAIK it has been fixed in Fedora.
Comment 4 Jakub Hrozek 2012-12-14 09:26:28 EST
The IPA server should default to unconfined_u in 6.4, IIRC. Not completely sure about earlier releases.

What default SELinux user does "ipa config-show" print?
Comment 5 Martin Kosek 2012-12-14 10:31:42 EST
IPA server defaults to unconfined_u:s0-s0:c0.c1023 in RHEL 6.4, this is OK.

However, it unfortunately defaults to guest_u:s0 in RHEL 6.3 which makes RHEL 6.4 clients use that value. A quickfix for this issue is to modify the config default with:

ipa config-mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023

But we will need to fix IPA in RHEL-6.3 and change the default to "unconfined_u:s0-s0:c0.c1023", either by z-stream or at least a release note.

Adding also Rob to the CC list.
Comment 6 Jakub Hrozek 2012-12-14 12:22:32 EST
Of course the trick part is how to differentiate between a setup that simply had guest_u set up as our default and setup that needs guest_u as default. Although I really doubt there is such setup since the client side never worked in 6.3.
Comment 7 Martin Kosek 2012-12-16 06:18:06 EST
(In reply to comment #6)
> Of course the trick part is how to differentiate between a setup that simply
> had guest_u set up as our default and setup that needs guest_u as default.
> Although I really doubt there is such setup since the client side never
> worked in 6.3.

I just verified that client can log in via console or SSH. However, gdm login does not work and produce the described error. I will reassign to IPA, we will produce a Release Note.
Comment 8 RHEL Product and Program Management 2012-12-21 01:47:25 EST
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 20 Daniel Walsh 2013-10-09 10:48:47 EDT
*** Bug 1016638 has been marked as a duplicate of this bug. ***
Comment 21 Martin Kosek 2013-11-20 10:09:25 EST
*** Bug 1027302 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.