#2587 With empty ipaselinuxusermapdefault security context on client is staff_u
Closed: Fixed None Opened 5 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1192314

Description of problem:
Default security context for users on client becomes
staff_u:staff_r:staff_t:s0-s0:c0.c1023 when ipaselinuxusermapdefault is not set

Version-Release number of selected component (if applicable):
ipa-server-4.1.0-18.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Setup trust
2. Remove default selinux user
3. check security contest of user

Actual results:
On IPA Master

[root@bumblebee ~]# ipa config-mod --ipaselinuxusermapdefault=

[root@bumblebee ~]# ipa config-show
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: slnx2k8r2.test
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=SLNX2K8R2.TEST
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c10
23$unconfined_u:s0-s0:c0.c1023
  Default PAC types: nfs:NONE, MS-PAC


[root@bumblebee ~]# kdestroy -A

[root@bumblebee ~]# echo Secret123| kinit au102130134@IPAAD2008R2.TEST
Password for au102130134@IPAAD2008R2.TEST:

[root@bumblebee ~]# ssh -l au102130134@ipaad2008r2.test `hostname` id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

On Client

[root@vm-idm-033 ~]# service sssd stop; rm -rf /var/lib/sssd/{db,mc}/*; service
sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

[root@vm-idm-033 ~]# kdestroy -A

[root@vm-idm-033 ~]# echo Secret123| kinit au102130134@IPAAD2008R2.TEST
Password for au102130134@IPAAD2008R2.TEST:

[root@vm-idm-033 ~]# ssh -l au102130134@ipaad2008r2.test `hostname` id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023



Expected results:
[root@vm-idm-033 ~]# ssh -l au102130134@ipaad2008r2.test `hostname` id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => jhrozek
review: True => 0
selected: =>
status: new => assigned
testsupdated: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.12.5

Fields changed

priority: major => critical

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.12.5

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3628

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata