#2512 selinuxusermap rule does not apply to trusted AD users
Closed: Fixed None Opened 4 years ago by lslebodn.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1169739

Description of problem:
This is a regression for bz1075663 and bz1073635

Version-Release number of selected component (if applicable):
sssd-1.12.2-28.el7.x86_64
ipa-server-4.1.0-10.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install IPA and add Trust with AD

* https://bugzilla.redhat.com/show_bug.cgi?id=1075663

[root@ibm-x3620m3-01 ~]# ipa group-add-member gr1075663 --groups=gr1075663_ext
  Group name: gr1075663
  Description: 0
  GID: 1119800014
  Member groups: gr1075663_ext
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3620m3-01 ~]# ipa group-add-member gr1075663_ext --users=''
--groups='' --external="aduser1@${AD_top_domain}"
  Group name: gr1075663_ext
  Description: 0
  External member: S-1-5-21-1910160501-511572375-3625658879-1313
  Member of groups: gr1075663
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3620m3-01 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*;
service sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

[root@ibm-x3620m3-01 ~]# id aduser1@${AD_top_domain}
uid=1148401313(aduser1@adtest.qe) gid=1148401313(aduser1@adtest.qe) groups=1148
401313(aduser1@adtest.qe),1148402424(adunigroup1@adtest.qe),1148401449(adgroup1
@adtest.qe),1148402425(adgroup2@adtest.qe),1148400513(domain
users@adtest.qe),1119800014(gr1075663),1119800008(adgrp)

[root@ibm-x3620m3-01 ~]# ipa selinuxusermap-add-user selinux_1075663
--groups=gr1075663
  Rule name: selinux_1075663
  SELinux User: staff_u:s0-s0:c0.c1023
  Host category: all
  Enabled: TRUE
  User Groups: gr1075663
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3620m3-01 ~]# cat /home/${AD_top_domain}/aduser1/.k5login
aduser1@adtest.qe
aduser1@ADTEST.QE
ADTEST\aduser1
adtest\aduser1

[root@ibm-x3620m3-01 ~]# kdestroy -A

[root@ibm-x3620m3-01 ~]# echo ${AD_top_pswd}|kinit aduser1@${AD_TOP_REALM}
Password for aduser1@ADTEST.QE:

[root@ibm-x3620m3-01 ~]# ssh -K -l aduser1@${AD_top_domain} $(hostname) 'id -Z'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[root@ibm-x3620m3-01 ~]# ssh -K -l aduser1@${AD_TOP_REALM} $(hostname) 'id -Z'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[root@ibm-x3620m3-01 ~]# ssh -K -l "${AD_top_netbios}\\aduser1" $(hostname) 'id
-Z'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[root@ibm-x3620m3-01 ~]# ssh -K -l "${AD_top_netbios,,}\\aduser1" $(hostname)
'id -Z'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023


* https://bugzilla.redhat.com/show_bug.cgi?id=1073635


[root@ibm-x3620m3-01 ~]# ipa group-add-member gr1073635 --groups=gr1073635_ext
  Group name: gr1073635
  Description: 0
  GID: 1119800015
  Member groups: gr1073635_ext
-------------------------
Number of members added 1
-------------------------
[root@ibm-x3620m3-01 ~]# ipa group-add-member gr1073635_ext --users=''
--groups='' \
>             --external="aduser1@${AD_top_domain}"
  Group name: gr1073635_ext
  Description: 0
  External member: S-1-5-21-1910160501-511572375-3625658879-1313
  Member of groups: gr1073635
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3620m3-01 ~]# ipa selinuxusermap-add-host selinux_1073635
--hosts=$MASTER
  Rule name: selinux_1073635
  SELinux User: staff_u:s0-s0:c0.c1023
  Enabled: TRUE
  User Groups: gr1073635
  Hosts: ibm-x3620m3-01.steeve2011.test
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3620m3-01 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*;
service sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

[root@ibm-x3620m3-01 ~]# kdestroy -A

[root@ibm-x3620m3-01 ~]# echo ${AD_top_pswd}|kinit aduser1@${AD_TOP_REALM}
Password for aduser1@ADTEST.QE:

[root@ibm-x3620m3-01 ~]# ssh -K -l aduser1@${AD_top_domain} $(hostname) 'id -Z'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => lslebodn
patch: 0 => 1
review: True => 0
selected: =>
status: new => assigned
testsupdated: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.12.3

resolution: => fixed
status: assigned => closed

Metadata Update from @lslebodn:
- Issue assigned to lslebodn
- Issue set to the milestone: SSSD 1.12.3

2 years ago

Login to comment on this ticket.

Metadata