#2512 selinuxusermap rule does not apply to trusted AD users
Closed: Fixed None Opened 5 years ago by lslebodn.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1169739

Description of problem:
This is a regression for bz1075663 and bz1073635

Version-Release number of selected component (if applicable):
sssd-1.12.2-28.el7.x86_64
ipa-server-4.1.0-10.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install IPA and add Trust with AD

* https://bugzilla.redhat.com/show_bug.cgi?id=1075663

[root@ibm-x3620m3-01 ~]# ipa group-add-member gr1075663 --groups=gr1075663_ext
  Group name: gr1075663
  Description: 0
  GID: 1119800014
  Member groups: gr1075663_ext
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3620m3-01 ~]# ipa group-add-member gr1075663_ext --users=''
--groups='' --external="aduser1@${AD_top_domain}"
  Group name: gr1075663_ext
  Description: 0
  External member: S-1-5-21-1910160501-511572375-3625658879-1313
  Member of groups: gr1075663
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3620m3-01 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*;
service sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

[root@ibm-x3620m3-01 ~]# id aduser1@${AD_top_domain}
uid=1148401313(aduser1@adtest.qe) gid=1148401313(aduser1@adtest.qe) groups=1148
401313(aduser1@adtest.qe),1148402424(adunigroup1@adtest.qe),1148401449(adgroup1
@adtest.qe),1148402425(adgroup2@adtest.qe),1148400513(domain
users@adtest.qe),1119800014(gr1075663),1119800008(adgrp)

[root@ibm-x3620m3-01 ~]# ipa selinuxusermap-add-user selinux_1075663
--groups=gr1075663
  Rule name: selinux_1075663
  SELinux User: staff_u:s0-s0:c0.c1023
  Host category: all
  Enabled: TRUE
  User Groups: gr1075663
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3620m3-01 ~]# cat /home/${AD_top_domain}/aduser1/.k5login
aduser1@adtest.qe
aduser1@ADTEST.QE
ADTEST\aduser1
adtest\aduser1

[root@ibm-x3620m3-01 ~]# kdestroy -A

[root@ibm-x3620m3-01 ~]# echo ${AD_top_pswd}|kinit aduser1@${AD_TOP_REALM}
Password for aduser1@ADTEST.QE:

[root@ibm-x3620m3-01 ~]# ssh -K -l aduser1@${AD_top_domain} $(hostname) 'id -Z'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[root@ibm-x3620m3-01 ~]# ssh -K -l aduser1@${AD_TOP_REALM} $(hostname) 'id -Z'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[root@ibm-x3620m3-01 ~]# ssh -K -l "${AD_top_netbios}\\aduser1" $(hostname) 'id
-Z'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[root@ibm-x3620m3-01 ~]# ssh -K -l "${AD_top_netbios,,}\\aduser1" $(hostname)
'id -Z'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023


* https://bugzilla.redhat.com/show_bug.cgi?id=1073635


[root@ibm-x3620m3-01 ~]# ipa group-add-member gr1073635 --groups=gr1073635_ext
  Group name: gr1073635
  Description: 0
  GID: 1119800015
  Member groups: gr1073635_ext
-------------------------
Number of members added 1
-------------------------
[root@ibm-x3620m3-01 ~]# ipa group-add-member gr1073635_ext --users=''
--groups='' \
>             --external="aduser1@${AD_top_domain}"
  Group name: gr1073635_ext
  Description: 0
  External member: S-1-5-21-1910160501-511572375-3625658879-1313
  Member of groups: gr1073635
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3620m3-01 ~]# ipa selinuxusermap-add-host selinux_1073635
--hosts=$MASTER
  Rule name: selinux_1073635
  SELinux User: staff_u:s0-s0:c0.c1023
  Enabled: TRUE
  User Groups: gr1073635
  Hosts: ibm-x3620m3-01.steeve2011.test
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3620m3-01 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*;
service sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

[root@ibm-x3620m3-01 ~]# kdestroy -A

[root@ibm-x3620m3-01 ~]# echo ${AD_top_pswd}|kinit aduser1@${AD_TOP_REALM}
Password for aduser1@ADTEST.QE:

[root@ibm-x3620m3-01 ~]# ssh -K -l aduser1@${AD_top_domain} $(hostname) 'id -Z'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => lslebodn
patch: 0 => 1
review: True => 0
selected: =>
status: new => assigned
testsupdated: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.12.3

resolution: => fixed
status: assigned => closed

Metadata Update from @lslebodn:
- Issue assigned to lslebodn
- Issue set to the milestone: SSSD 1.12.3

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3554

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata