#6856 The latest version of 4.4.0-14 ipa-server validates hardcoded SELinux sensitivities and categories numbers
Opened 2 years ago by pvoborni. Modified 2 years ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1435454

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:

ipa server does not allow SELinux user maps with sensitivities larger than s15
and categories larger than c1023. These values are taken and hardcoded from the
default mls SELinux policy.  However, SELinux architecture allows one to set up
systems with sensitivities and categories numbers that are larger than the
default. SELinux policy, kernel and user level code do not assume that only 16
sensitivities and 1024 categories can exist on the system. ipa should not make
that assumption and allow ipa to manage systems with larger number of
sensitivities and categories.  If ipa wants to enforce some kind of valid
number, it should be provided as a configuration parameter. Older, rhel6
versions of ipa did not enforce these sensitivities and categories max count
numbers.

How reproducible:

100%

Steps to Reproduce:
1. Attempt to add an SELinux user map rule where the default context contains
sensitivity higher than s15 and/or category higher than c1023. For example, a
default context of staff_u:staff_r:staff_t:s0-s256:c0.c2048

Additional info:

ne of the biggest advantage of SELinux mls is that it's flexible and configurable. 
It's allowed to increase the number of sensitivities to 256, e.g. for interaction with 
legacy CIPSO systems. Some may also  need to increase the number of categories 
beyond the default 1024. This new validation in ipa prevents ipa to manage systems with
updated sensitivities and/or categories.  Our current workaround is to change
the ipa python plugin which enforces this limit. But that is cumbersome to
maintain and requires us to manual code change every time the ipa rpm is
updated.

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1435454

2 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1435454

2 years ago

Metadata Update from @pvoborni:
- Issue priority set to: critical

2 years ago

Metadata Update from @mbasti:
- Issue set to the milestone: FreeIPA 4.5.2 (was: FreeIPA 4.5.1)

2 years ago

FreeIPA 4.5.1 has been released, moving to FreeIPA 4.5.2 milestone

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.3 (was: FreeIPA 4.5.2)

2 years ago

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.4 (was: FreeIPA 4.5.3)

2 years ago

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.5.4)

2 years ago

Login to comment on this ticket.

Metadata