#3297 selinux_provider fails in a container if libsemanage is not available

Created 2 months ago by jhrozek
Modified 12 days ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1415167

Description of problem:

When pam_sss.so is used in IPA-enrolled unprivileged docker container to
control access to services via HBAC, the pam_acct_mgmt fails.

Version-Release number of selected component (if applicable):

On the host:

kernel-3.10.0-514.el7.x86_64
selinux-policy-3.13.1-102.el7.noarch

In the container:

libselinux-2.5-6.el7.x86_64
libselinux-utils-2.5-6.el7.x86_64
libselinux-python-2.5-6.el7.x86_64
sssd-1.14.0-43.el7_3.11.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. On RHEL machine, git clone https://pagure.io/webauthinfra.git ; cd
webauthinfra
2. apply patch

diff --git a/src/Dockerfile.www b/src/Dockerfile.www
index 4d0d1d9..143e75c 100644
--- a/src/Dockerfile.www
+++ b/src/Dockerfile.www
@@ -1,5 +1,5 @@
-FROM fedora:24
-RUN dnf install -y /usr/sbin/ipa-client-install
/usr/bin/ipsilon-client-install ipsilon-saml2 httpd mod_ssl mod_auth_gssapi
mod_interc
+FROM rhel7
+RUN yum install --disablerepo='*' --enablerepo=rhel-7-server-rpms -y
/usr/sbin/ipa-client-install /usr/bin/ipsilon-client-install ipsi
 COPY init-data ipa-client-enroll ipsilon-client-configure populate-data-volume
www-setup-apache /usr/sbin/
 RUN chmod a+x /usr/sbin/init-data /usr/sbin/ipa-client-enroll
/usr/sbin/ipsilon-client-configure /usr/sbin/populate-data-volume /usr/s
 COPY ipa-client-enroll.service ipsilon-client-configure.service
populate-data-volume.service www-setup-apache.service /usr/lib/systemd
diff --git a/src/www-mod_wsgi-gssapi.conf b/src/www-mod_wsgi-gssapi.conf
index 77cf2cc..e3f586d 100644
--- a/src/www-mod_wsgi-gssapi.conf
+++ b/src/www-mod_wsgi-gssapi.conf
@@ -43,7 +43,7 @@ LoadModule lookup_identity_module
modules/mod_lookup_identity.so
   InterceptFormPAMService webapp
   InterceptFormLogin username
   InterceptFormPassword password
-  InterceptGETOnSuccess on
+  # InterceptGETOnSuccess on

   LookupOutput env
   LookupUserAttr mail REMOTE_USER_EMAIL " "
diff --git a/src/www-proxy-gssapi.conf b/src/www-proxy-gssapi.conf
index efea3ce..f9f61e6 100644
--- a/src/www-proxy-gssapi.conf
+++ b/src/www-proxy-gssapi.conf
@@ -31,7 +31,7 @@ LoadModule lookup_identity_module
modules/mod_lookup_identity.so
   InterceptFormPAMService webapp
   InterceptFormLogin username
   InterceptFormPassword password
-  InterceptGETOnSuccess on
+  # InterceptGETOnSuccess on

   LookupOutput headers
   LookupUserAttr mail X-REMOTE-USER-EMAIL " "

3. Enroll the RHEL host.
4. docker pull freeipa/freeipa-server:fedora-24 ; docker tag
freeipa/freeipa-server:fedora-24 freeipa-server
5. Install docker-compose, for example via

curl -L https://github.com/docker/compose/releases/download/1.10.0/docker-compo
se-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

6. docker-compose build
7. docker-compose up
8. Wait until the output shows

 client_1  | Usage:
client_1  |   ssh -X -i client-data/id_rsa -p 55022 developer@localhost firefox
-no-remote
client_1  |   To kinit, in the browser started with ^^^ visit http://localhost/
client_1  |   or execute
client_1  |   cat ipa-data/admin-password | ssh -i client-data/id_rsa -p 55022
developer@localhost kinit admin

9. cat ipa-data/admin-password | docker exec -i webauthinfra_client_1 kinit
admin
10. docker exec -ti webauthinfra_client_1 curl -si --negotiate -u :
https://www.example.test/login/

Actual results:

HTTP/1.1 401 Unauthorized
Date: Fri, 20 Jan 2017 12:47:20 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips
mod_auth_gssapi/1.4.0 mod_wsgi/3.4 Python/2.7.5
WWW-Authenticate: Negotiate
Content-Length: 123
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 401 Unauthorized
Date: Fri, 20 Jan 2017 12:47:20 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips
mod_auth_gssapi/1.4.0 mod_wsgi/3.4 Python/2.7.5
WWW-Authenticate: Negotiate oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhki
G9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvkXo3+6SrWGyKnWk5shxakGTSeb42vQ
Q+XIvIUeUGGBkwfkLVUE5ko4ui5zi4Uigubo7EeH/+TqSYbuut92ijBoAuTxJNBjytX3e6PgItoF1wr
wfLaFmxCD037BbG2zgUyeqWyQNgpI07zLR9SPpE
Content-Length: 123
Content-Type: text/html; charset=iso-8859-1

<html><meta http-equiv="refresh" content="0;
URL=/login/?noext=1"><body>Kerberos authentication did not pass.</body></html>

When debug_level is set to 6 in webauthinfra_www_1 container in
/etc/sssd/sssd.conf and sssd restarted, sssd logs show

==> /var/log/sssd/selinux_child.log <==
(Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [main] (0x0400):
selinux_child started.
(Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [main] (0x0400):
context initialized
(Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [main] (0x0400):
performing selinux operations
(Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [sss_semanage_init]
(0x0020): SELinux policy not managed
(Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [get_seuser] (0x0020):
Cannot create SELinux handle
(Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [sss_semanage_init]
(0x0020): SELinux policy not managed
(Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [set_seuser] (0x0020):
Cannot init SELinux management
(Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [main] (0x0020):
Cannot set SELinux login context.
(Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [main] (0x0020):
selinux_child failed!

==> /var/log/sssd/sssd_example.test.log <==
(Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [read_pipe_handler]
(0x0400): EOF received, client finished
(Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [selinux_child_done]
(0x0020): selinux_child_parse_response failed: [22][Invalid argument]
(Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [dp_req_done] (0x0400): DP
Request [PAM SELinux #3]: Request handler finished [0]: Success
(Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [_dp_req_recv] (0x0400): DP
Request [PAM SELinux #3]: Receiving request data.
(Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [dp_req_destructor]
(0x0400): DP Request [PAM SELinux #3]: Request removed.
(Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [dp_req_destructor]
(0x0400): Number of active DP request: 0
(Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [child_sig_handler]
(0x0020): child [1201] failed with status [1].

==> /var/log/sssd/sssd_pam.log <==
(Fri Jan 20 12:49:50 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200):
received: [4 (System error)][example.test]
(Fri Jan 20 12:49:50 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called
with result [4]: System error.
(Fri Jan 20 12:49:50 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 29
(Fri Jan 20 12:49:50 2017) [sssd[pam]] [client_recv] (0x0200): Client
disconnected!

Expected results:

HTTP/1.1 401 Unauthorized
Date: Fri, 20 Jan 2017 12:51:07 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips
mod_auth_gssapi/1.4.0 mod_wsgi/3.4 Python/2.7.5
WWW-Authenticate: Negotiate
Content-Length: 123
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 302 Found
Date: Fri, 20 Jan 2017 12:51:08 GMT
Server: WSGIServer/0.1 Python/2.7.12
WWW-Authenticate: Negotiate oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhki
G9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvb+C80tVteOSSJCA9Ao8jCCvFAqe6Wa
0uqey7u90j8Iz+V/Jx5ubMVypvP9SvIpT/DPya0Jhngo06JH+ND5RwkBSpEYHlm3jZZo/lJYKKo/qJr
ZlzvH9T5ZQGOykR9c4axUHxD2X+Vcmvrl6xXKd7
Vary: Cookie
X-Frame-Options: SAMEORIGIN
Content-Type: text/html; charset=utf-8
Location: /
Set-Cookie:
csrftoken=T6M3M78mg0AYVi6qGg8IvCx8jln3SOt9BmVhox2wvGA3i34X13jre5pa6JCW7Mpr;
expires=Fri, 19-Jan-2018 12:51:08 GMT; Max-Age=31449600; Path=/
Set-Cookie: sessionid=nusfx73ibstzjjtzqod1lwy1a949lc9t; expires=Fri,
03-Feb-2017 12:51:08 GMT; httponly; Max-Age=1209600; Path=/
Transfer-Encoding: chunked

Additional info:

The expected output can be achieved by setting selinux_provider = none in
[domain/*] section of /etc/sssd/sssd.conf in webauthinfra_www_1 container.

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => mzidek
patch: => 0
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.15.2

a month ago

Metadata Update from @jhrozek:
- Issue assigned to mzidek
- Issue set to the milestone: SSSD 1.15.2

12 days ago

Metadata Update from @jhrozek:
- Custom field design_review reset
- Custom field mark reset
- Custom field patch reset
- Custom field review reset
- Custom field sensitive reset
- Custom field testsupdated reset
- Issue close_status updated to: None
- Issue set to the milestone: SSSD 1.15.3 (was: SSSD 1.15.2)

Login to comment on this ticket.

defect

SSSD

false

false

https://bugzilla.redhat.com/show_bug.cgi?id=1415167

false

false

false

false

cancel