#3297 selinux_provider fails in a container if libsemanage is not available
Closed: Fixed 3 years ago Opened 3 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1415167

Description of problem:

When pam_sss.so is used in IPA-enrolled unprivileged docker container to
control access to services via HBAC, the pam_acct_mgmt fails.

Version-Release number of selected component (if applicable):

On the host:

kernel-3.10.0-514.el7.x86_64
selinux-policy-3.13.1-102.el7.noarch

In the container:

libselinux-2.5-6.el7.x86_64
libselinux-utils-2.5-6.el7.x86_64
libselinux-python-2.5-6.el7.x86_64
sssd-1.14.0-43.el7_3.11.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. On RHEL machine, git clone https://pagure.io/webauthinfra.git ; cd
webauthinfra
2. apply patch

diff --git a/src/Dockerfile.www b/src/Dockerfile.www
index 4d0d1d9..143e75c 100644
--- a/src/Dockerfile.www
+++ b/src/Dockerfile.www
@@ -1,5 +1,5 @@
-FROM fedora:24
-RUN dnf install -y /usr/sbin/ipa-client-install
/usr/bin/ipsilon-client-install ipsilon-saml2 httpd mod_ssl mod_auth_gssapi
mod_interc
+FROM rhel7
+RUN yum install --disablerepo='*' --enablerepo=rhel-7-server-rpms -y
/usr/sbin/ipa-client-install /usr/bin/ipsilon-client-install ipsi
 COPY init-data ipa-client-enroll ipsilon-client-configure populate-data-volume
www-setup-apache /usr/sbin/
 RUN chmod a+x /usr/sbin/init-data /usr/sbin/ipa-client-enroll
/usr/sbin/ipsilon-client-configure /usr/sbin/populate-data-volume /usr/s
 COPY ipa-client-enroll.service ipsilon-client-configure.service
populate-data-volume.service www-setup-apache.service /usr/lib/systemd
diff --git a/src/www-mod_wsgi-gssapi.conf b/src/www-mod_wsgi-gssapi.conf
index 77cf2cc..e3f586d 100644
--- a/src/www-mod_wsgi-gssapi.conf
+++ b/src/www-mod_wsgi-gssapi.conf
@@ -43,7 +43,7 @@ LoadModule lookup_identity_module
modules/mod_lookup_identity.so
   InterceptFormPAMService webapp
   InterceptFormLogin username
   InterceptFormPassword password
-  InterceptGETOnSuccess on
+  # InterceptGETOnSuccess on

   LookupOutput env
   LookupUserAttr mail REMOTE_USER_EMAIL " "
diff --git a/src/www-proxy-gssapi.conf b/src/www-proxy-gssapi.conf
index efea3ce..f9f61e6 100644
--- a/src/www-proxy-gssapi.conf
+++ b/src/www-proxy-gssapi.conf
@@ -31,7 +31,7 @@ LoadModule lookup_identity_module
modules/mod_lookup_identity.so
   InterceptFormPAMService webapp
   InterceptFormLogin username
   InterceptFormPassword password
-  InterceptGETOnSuccess on
+  # InterceptGETOnSuccess on

   LookupOutput headers
   LookupUserAttr mail X-REMOTE-USER-EMAIL " "

3. Enroll the RHEL host.
4. docker pull freeipa/freeipa-server:fedora-24 ; docker tag
freeipa/freeipa-server:fedora-24 freeipa-server
5. Install docker-compose, for example via

curl -L https://github.com/docker/compose/releases/download/1.10.0/docker-compo
se-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

6. docker-compose build
7. docker-compose up
8. Wait until the output shows

 client_1  | Usage:
client_1  |   ssh -X -i client-data/id_rsa -p 55022 developer@localhost firefox
-no-remote
client_1  |   To kinit, in the browser started with ^^^ visit http://localhost/
client_1  |   or execute
client_1  |   cat ipa-data/admin-password | ssh -i client-data/id_rsa -p 55022
developer@localhost kinit admin

9. cat ipa-data/admin-password | docker exec -i webauthinfra_client_1 kinit
admin
10. docker exec -ti webauthinfra_client_1 curl -si --negotiate -u :
https://www.example.test/login/

Actual results:

HTTP/1.1 401 Unauthorized
Date: Fri, 20 Jan 2017 12:47:20 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips
mod_auth_gssapi/1.4.0 mod_wsgi/3.4 Python/2.7.5
WWW-Authenticate: Negotiate
Content-Length: 123
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 401 Unauthorized
Date: Fri, 20 Jan 2017 12:47:20 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips
mod_auth_gssapi/1.4.0 mod_wsgi/3.4 Python/2.7.5
WWW-Authenticate: Negotiate oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhki
G9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvkXo3+6SrWGyKnWk5shxakGTSeb42vQ
Q+XIvIUeUGGBkwfkLVUE5ko4ui5zi4Uigubo7EeH/+TqSYbuut92ijBoAuTxJNBjytX3e6PgItoF1wr
wfLaFmxCD037BbG2zgUyeqWyQNgpI07zLR9SPpE
Content-Length: 123
Content-Type: text/html; charset=iso-8859-1

<html><meta http-equiv="refresh" content="0;
URL=/login/?noext=1"><body>Kerberos authentication did not pass.</body></html>

When debug_level is set to 6 in webauthinfra_www_1 container in
/etc/sssd/sssd.conf and sssd restarted, sssd logs show

==> /var/log/sssd/selinux_child.log <==
(Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [main] (0x0400):
selinux_child started.
(Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [main] (0x0400):
context initialized
(Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [main] (0x0400):
performing selinux operations
(Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [sss_semanage_init]
(0x0020): SELinux policy not managed
(Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [get_seuser] (0x0020):
Cannot create SELinux handle
(Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [sss_semanage_init]
(0x0020): SELinux policy not managed
(Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [set_seuser] (0x0020):
Cannot init SELinux management
(Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [main] (0x0020):
Cannot set SELinux login context.
(Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [main] (0x0020):
selinux_child failed!

==> /var/log/sssd/sssd_example.test.log <==
(Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [read_pipe_handler]
(0x0400): EOF received, client finished
(Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [selinux_child_done]
(0x0020): selinux_child_parse_response failed: [22][Invalid argument]
(Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [dp_req_done] (0x0400): DP
Request [PAM SELinux #3]: Request handler finished [0]: Success
(Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [_dp_req_recv] (0x0400): DP
Request [PAM SELinux #3]: Receiving request data.
(Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [dp_req_destructor]
(0x0400): DP Request [PAM SELinux #3]: Request removed.
(Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [dp_req_destructor]
(0x0400): Number of active DP request: 0
(Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [child_sig_handler]
(0x0020): child [1201] failed with status [1].

==> /var/log/sssd/sssd_pam.log <==
(Fri Jan 20 12:49:50 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200):
received: [4 (System error)][example.test]
(Fri Jan 20 12:49:50 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called
with result [4]: System error.
(Fri Jan 20 12:49:50 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 29
(Fri Jan 20 12:49:50 2017) [sssd[pam]] [client_recv] (0x0200): Client
disconnected!

Expected results:

HTTP/1.1 401 Unauthorized
Date: Fri, 20 Jan 2017 12:51:07 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips
mod_auth_gssapi/1.4.0 mod_wsgi/3.4 Python/2.7.5
WWW-Authenticate: Negotiate
Content-Length: 123
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Date: Fri, 20 Jan 2017 12:51:08 GMT
Server: WSGIServer/0.1 Python/2.7.12
WWW-Authenticate: Negotiate oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhki
G9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvb+C80tVteOSSJCA9Ao8jCCvFAqe6Wa
0uqey7u90j8Iz+V/Jx5ubMVypvP9SvIpT/DPya0Jhngo06JH+ND5RwkBSpEYHlm3jZZo/lJYKKo/qJr
ZlzvH9T5ZQGOykR9c4axUHxD2X+Vcmvrl6xXKd7
Vary: Cookie
X-Frame-Options: SAMEORIGIN
Content-Type: text/html; charset=utf-8
Location: /
Set-Cookie:
csrftoken=T6M3M78mg0AYVi6qGg8IvCx8jln3SOt9BmVhox2wvGA3i34X13jre5pa6JCW7Mpr;
expires=Fri, 19-Jan-2018 12:51:08 GMT; Max-Age=31449600; Path=/
Set-Cookie: sessionid=nusfx73ibstzjjtzqod1lwy1a949lc9t; expires=Fri,
03-Feb-2017 12:51:08 GMT; httponly; Max-Age=1209600; Path=/
Transfer-Encoding: chunked

Additional info:

The expected output can be achieved by setting selinux_provider = none in
[domain/*] section of /etc/sssd/sssd.conf in webauthinfra_www_1 container.

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => mzidek
patch: => 0
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.15.2

Metadata Update from @jhrozek:
- Issue assigned to mzidek
- Issue set to the milestone: SSSD 1.15.2

3 years ago

Metadata Update from @jhrozek:
- Custom field design_review reset
- Custom field mark reset
- Custom field patch reset
- Custom field review reset
- Custom field sensitive reset
- Custom field testsupdated reset
- Issue close_status updated to: None
- Issue set to the milestone: SSSD 1.15.3 (was: SSSD 1.15.2)

3 years ago

Metadata Update from @lslebodn:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)

3 years ago

Metadata Update from @lslebodn:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4330

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata