#667 Setting SELinux context for sss_useradd fails
Closed: Fixed None Opened 13 years ago by sgallagh.

https://bugzilla.redhat.com/show_bug.cgi?id=649037

Description

Description of problem: Unable to set SELinux user for the userĀ“s login.

Version-Release number of selected component (if applicable):
sssd-1.2.1-34.el5

How reproducible:
Always

Steps to Reproduce:
1. Configure SSSD for local domain.
2. sss_useradd -Z user_u luser1
3.

Actual results:

sss_useradd -Z user_u luser1

Cannot set SELinux login context

Expected results:
User should be added successfully. This works fine in RHEL6.

Additional info:

Relevant sssd.conf section:
[domain/LOCAL]
id_provider = local
auth_provider = local
min_id = 2000
enumerate = true

sestatus

SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted

cat /etc/selinux/targeted/seusers

This file is auto-generated by libsemanage

Please use the semanage command to make changes

root:root:s0-s0:c0.c1023
default:user_u:s0
yyy:user_u:s0

rpm -qf /usr/lib/libselinux.so

libselinux-1.33.4-5.6.el5

Analysis

The problem is in the SSSD.

    ret = semanage_commit(handle);
    if (ret != 0) {
        DEBUG(1, ("Cannot commit SELinux transaction\n"));
        ret = EIO;
        goto done;
    }

From semanage/handle.h:

/* Attempt to commit all changes since this transaction began. If the
 * commit is successful then increment the "policy sequence number"
 * and then release the transaction lock.  Return that policy number
 * afterwards, or -1 on error.
 */
int semanage_commit(semanage_handle_t *);

Whereas most semanage functions return zero on success, this particular command
is expected to return a positive integer on success.


Based on discussions with SELinux upstream, we should just be checking for < 0 for errors here. That should account for both cases.

Fields changed

owner: somebody => sgallagh

Fixed by a476bf8

fixedin: => 1.2.5
resolution: => fixed
status: new => closed

Metadata Update from @sgallagh:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.5.0

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/1709

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata