#3618 selinux_child segfaults in a docker container
Closed: Fixed 2 years ago Opened 2 years ago by jhrozek.

When selinux_child runs in a docker container which doesn't support SELinux at all, we have a dead code in selinux_child since conversion to getseuserbyname()

176     ret = getseuserbyname(ibuf->username, &db_seuser, &db_mls_range);                                             
177     DEBUG(SSSDBG_TRACE_INTERNAL,                                                                                  
178           "getseuserbyname: ret: %d seuser: %s mls: %s\n",                                                        
179           ret, db_seuser ? db_seuser : "unknown",                                                                 
180           db_mls_range ? db_mls_range : "unknown");                                                               
181     if (ret == EOK && db_seuser && db_mls_range &&                                                                
182             strcmp(db_seuser, ibuf->seuser) == 0 &&                                                               
183             strcmp(db_mls_range, ibuf->mls_range) == 0) {                                                         
184         needs_update = false;                                                                                     
185     }                                                                                                             
186     /* OR */                                                                                                      
187     if (ret == ERR_SELINUX_NOT_MANAGED) {        
---->    getseuserbyname() cannot return internal code ERR_SELINUX_NOT_MANAGED                  
188         needs_update = false;                                                                                     
189     }  

This triggers update even if SELinux is not managed on this machine:

(Mon Jan 15 19:41:57 2018) [[sssd[selinux_child[462]]]] [main] (0x0400): performing selinux operations
(Mon Jan 15 19:41:57 2018) [[sssd[selinux_child[462]]]] [seuser_needs_update] (0x2000): getseuserbyname: ret: 0 seuser: admin mls: unknown
(Mon Jan 15 19:41:57 2018) [[sssd[selinux_child[462]]]] [sss_semanage_init] (0x0400): SELinux policy not managed via libsemanage

And the update eventually fails with a segfault

(Mon Jan 15 19:39:11 2018) [sssd[be[ipa.test]]] [dp_pam_reply] (0x1000): DP Request [PAM Account #9]: Sending result [4][ipa.test]
(Mon Jan 15 19:39:11 2018) [sssd[be[ipa.test]]] [child_sig_handler] (0x1000): Waiting for child [423].
(Mon Jan 15 19:39:11 2018) [sssd[be[ipa.test]]] [child_sig_handler] (0x0020): child [423] was terminated by signal [11].

We should probably check if SELinux is managed and if not, just quit like we did before.


Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.1

2 years ago

Metadata Update from @lslebodn:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1516700

2 years ago

Login to comment on this ticket.

Metadata