#3308 SELinux: Use libselinux's getseuserbyname to get the correct seuser
Closed: Fixed 6 years ago Opened 7 years ago by jhrozek.

This was suggested by Petr Lautrbach in a private discussion. Currently, retrieving the SELinux user for a Linux user is not robust enough if semanage_user_query fails for one reason or another. Petr suggested to use getseuserbyname() from libselinux instead to handle mapping of a Linux user to a SELinux user.


Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.15.3

I've been running into this error on my Centos 7.3 boxes. Most of them seem to be for users that have never logged in before and specifically systems that were built before 7.3 came out and then upgraded. Here is my selinux logs from a failure:

(Tue Feb 14 11:14:01 2017) [[sssd[selinux_child[5345]]]] [main] (0x0400): selinux_child started.
(Tue Feb 14 11:14:01 2017) [[sssd[selinux_child[5345]]]] [main] (0x2000): Running with effective IDs: [0][0].
(Tue Feb 14 11:14:01 2017) [[sssd[selinux_child[5345]]]] [main] (0x2000): Running with real IDs [0][0].
(Tue Feb 14 11:14:01 2017) [[sssd[selinux_child[5345]]]] [main] (0x0400): context initialized
(Tue Feb 14 11:14:01 2017) [[sssd[selinux_child[5345]]]] [unpack_buffer] (0x2000): seuser length: 12
(Tue Feb 14 11:14:01 2017) [[sssd[selinux_child[5345]]]] [unpack_buffer] (0x2000): seuser: unconfined_u
(Tue Feb 14 11:14:01 2017) [[sssd[selinux_child[5345]]]] [unpack_buffer] (0x2000): mls_range length: 14
(Tue Feb 14 11:14:01 2017) [[sssd[selinux_child[5345]]]] [unpack_buffer] (0x2000): mls_range: s0-s0:c0.c1023
(Tue Feb 14 11:14:01 2017) [[sssd[selinux_child[5345]]]] [unpack_buffer] (0x2000): username length: 5
(Tue Feb 14 11:14:01 2017) [[sssd[selinux_child[5345]]]] [unpack_buffer] (0x2000): username: test2
(Tue Feb 14 11:14:01 2017) [[sssd[selinux_child[5345]]]] [main] (0x0400): performing selinux operations
(Tue Feb 14 11:14:01 2017) [[sssd[selinux_child[5345]]]] [libsemanage] (0x0020): could not query record value(Tue Feb 14 11:14:01 2017) [[sssd[selinux_child[5345]]]] [get_seuser] (0x0020): Cannot query for test2
(Tue Feb 14 11:14:01 2017) [[sssd[selinux_child[5345]]]] [seuser_needs_update] (0x2000): get_seuser: ret: 5 seuser: unknown mls: unknown
(Tue Feb 14 11:14:06 2017) [[sssd[selinux_child[5345]]]] [libsemanage] (0x0020): Could not get direct transaction lock at /etc/selinux/targeted/semanage.trans.LOCK.(Tue Feb 14 11:14:06 2017) [[sssd[selinux_child[5345]]]] [set_seuser] (0x0020): Cannot begin SELinux transaction
(Tue Feb 14 11:14:06 2017) [[sssd[selinux_child[5345]]]] [main] (0x0020): Cannot set SELinux login context.
(Tue Feb 14 11:14:06 2017) [[sssd[selinux_child[5345]]]] [main] (0x0020): selinux_child failed!

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.15.3

7 years ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1441908

6 years ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1441908

6 years ago

There is already a PR, but it is being reviewed and upstream needs to release the next version quite soon. Therefore I'm moving this ticket to the next version.

For the immediate future, triaging tickets with patches is our priority so that you don't wait for including your contribution for even longer.

Metadata Update from @jhrozek:
- Custom field design_review reset (from 0)
- Custom field mark reset (from 0)
- Custom field patch reset (from 0)
- Custom field review reset (from 0)
- Custom field sensitive reset (from 0)
- Custom field testsupdated reset (from 0)
- Issue close_status updated to: None

6 years ago

Metadata Update from @jhrozek:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)
- Issue set to the milestone: SSSD 1.15.4 (was: SSSD 1.15.3)

6 years ago

Metadata Update from @jhrozek:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)
- Issue tagged with: PR

6 years ago

Metadata Update from @lslebodn:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)

6 years ago

Metadata Update from @lslebodn:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata Update from @jhrozek:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)
- Issue set to the milestone: SSSD 1.16.0 (was: SSSD 1.15.4)

6 years ago

Metadata Update from @lslebodn:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)

6 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4341

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata