#1626 sssd caching not working as expected for selinux usermap contexts
Closed: Fixed None Opened 6 years ago by dpal.

https://bugzilla.redhat.com/show_bug.cgi?id=874579 (Red Hat Enterprise Linux 6)

Description of problem:
if two user's selinux context is stored in sssd cache and last user's context
is default selinux context, then default selinux context is applied for first
user as well if IPA server not reachable.

Version-Release number of selected component (if applicable):

[root@rhel64client1 ipa-selinuxusermap-func]# rpm -qa|grep sssd
sssd-1.9.2-4.el6.x86_64
sssd-client-1.9.2-4.el6.x86_64
[root@rhel64client1 ipa-selinuxusermap-func]#

[root@rhel64master beaker]# rpm -qa|grep ipa-server
ipa-server-selinux-3.0.0-7.el6.x86_64
ipa-server-3.0.0-7.el6.x86_64
[root@rhel64master beaker]#

How reproducible:
Always

Steps to Reproduce:
(1)if two user's selinux context is stored in sssd cache and last user's
context is default selinux context, then default selinux context is applied for
first user as well if IPA server not reachable.

[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1
rhel64client1.testrelm.com id -Z
user1@rhel64client1.testrelm.com's password:
staff_u:staff_r:staff_t:s0-s0:c0.c1023
[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user2
rhel64client1.testrelm.com id -Z
user2@rhel64client1.testrelm.com's password:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@rhel64client1 ipa-selinuxusermap-func]#
[root@rhel64client1 ipa-selinuxusermap-func]# date
Mon Nov  5 07:40:39 EST 2012
[root@rhel64client1 ipa-selinuxusermap-func]#

Stopping IPA Server, so that sssd cache can be used.

[root@rhel64master beaker]# service ipa stop;date
Stopping CA Service
Stopping pki-ca:                                           [  OK  ]
Stopping HTTP Service
Stopping httpd:                                            [  OK  ]
Stopping MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Stopping DNS Service
Stopping named: .                                          [  OK  ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Stopping KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Directory Service
Shutting down dirsrv:
    PKI-IPA...                                             [  OK  ]
    TESTRELM-COM...                                        [  OK  ]
Mon Nov  5 07:41:31 EST 2012
[root@rhel64master beaker]#

[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1
rhel64client1.testrelm.com id -Z;date
user1@rhel64client1.testrelm.com's password:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Mon Nov  5 07:42:15 EST 2012
[root@rhel64client1 ipa-selinuxusermap-func]#

Here selinux context should be staff_u:staff_r:staff_t:s0-s0:c0.c1023

(2)SSSD cache works fine in case of single user.

[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1
rhel64client1.testrelm.com id -Z;date
user1@rhel64client1.testrelm.com's password:
staff_u:staff_r:staff_t:s0-s0:c0.c1023
Mon Nov  5 07:54:50 EST 2012
[root@rhel64client1 ipa-selinuxusermap-func]#

[root@rhel64master beaker]# service ipa stop;date
Stopping CA Service
Stopping pki-ca:                                           [  OK  ]
Stopping HTTP Service
Stopping httpd:                                            [  OK  ]
Stopping MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Stopping DNS Service
Stopping named: .                                          [  OK  ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Stopping KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Directory Service
Shutting down dirsrv:
    PKI-IPA...                                             [  OK  ]
    TESTRELM-COM...                                        [  OK  ]
Mon Nov  5 07:55:37 EST 2012
[root@rhel64master beaker]#

[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1
rhel64client1.testrelm.com id -Z;date
user1@rhel64client1.testrelm.com's password:
staff_u:staff_r:staff_t:s0-s0:c0.c1023
Mon Nov  5 07:56:02 EST 2012
[root@rhel64client1 ipa-selinuxusermap-func]#

I can reproduce. Picking up.

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => jhrozek
status: new => assigned
testsupdated: => 0

Fields changed

patch: 0 => 1
selected: =>

resolution: => fixed
status: assigned => closed

Metadata Update from @dpal:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.9.4

2 years ago

Login to comment on this ticket.

Metadata