#3618 selinux_child segfaults in a docker container
Closed: Fixed 2 years ago Opened 3 years ago by jhrozek.

When selinux_child runs in a docker container which doesn't support SELinux at all, we have a dead code in selinux_child since conversion to getseuserbyname()

176     ret = getseuserbyname(ibuf->username, &db_seuser, &db_mls_range);                                             
177     DEBUG(SSSDBG_TRACE_INTERNAL,                                                                                  
178           "getseuserbyname: ret: %d seuser: %s mls: %s\n",                                                        
179           ret, db_seuser ? db_seuser : "unknown",                                                                 
180           db_mls_range ? db_mls_range : "unknown");                                                               
181     if (ret == EOK && db_seuser && db_mls_range &&                                                                
182             strcmp(db_seuser, ibuf->seuser) == 0 &&                                                               
183             strcmp(db_mls_range, ibuf->mls_range) == 0) {                                                         
184         needs_update = false;                                                                                     
185     }                                                                                                             
186     /* OR */                                                                                                      
187     if (ret == ERR_SELINUX_NOT_MANAGED) {        
---->    getseuserbyname() cannot return internal code ERR_SELINUX_NOT_MANAGED                  
188         needs_update = false;                                                                                     
189     }  

This triggers update even if SELinux is not managed on this machine:

(Mon Jan 15 19:41:57 2018) [[sssd[selinux_child[462]]]] [main] (0x0400): performing selinux operations
(Mon Jan 15 19:41:57 2018) [[sssd[selinux_child[462]]]] [seuser_needs_update] (0x2000): getseuserbyname: ret: 0 seuser: admin mls: unknown
(Mon Jan 15 19:41:57 2018) [[sssd[selinux_child[462]]]] [sss_semanage_init] (0x0400): SELinux policy not managed via libsemanage

And the update eventually fails with a segfault

(Mon Jan 15 19:39:11 2018) [sssd[be[ipa.test]]] [dp_pam_reply] (0x1000): DP Request [PAM Account #9]: Sending result [4][ipa.test]
(Mon Jan 15 19:39:11 2018) [sssd[be[ipa.test]]] [child_sig_handler] (0x1000): Waiting for child [423].
(Mon Jan 15 19:39:11 2018) [sssd[be[ipa.test]]] [child_sig_handler] (0x0020): child [423] was terminated by signal [11].

We should probably check if SELinux is managed and if not, just quit like we did before.

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.1

3 years ago

Metadata Update from @lslebodn:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1516700

2 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4639

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.