When I add a SELinux type and/or role options to an existing sudo rule, an error is shown. Here is how to reproduce the issue:
Create a hostgroup called 'webservers' and a user group called 'sysadmin' with at least a single host and user as a member.
Create the hbac rule:
$ ipa hbacrule-add sysadmin_webservers $ ipa hbacrule-add-host sysadmin_webservers --hostgroup webservers $ ipa hbacrule-add-user sysadmin_webservers --group sysadmin $ ipa hbacrule-mod sysadmin_webservers --servicecat=all
$ ipa sudorule-add sysadmin_sudo --hostcat=all --runasusercat=all --runasgroupcat=all --cmdcat=all $ ipa sudorule-add-user sysadmin_sudo --group sysadmin
$ ipa selinuxusermap-add sysadmin_staff_t --hbacrule sysadmin_webservers --selinuxuser staff_u:s0-s0:c0.c1023
$ ipa sudorule-add-option sysadmin_sudo --sudooption type=unconfined_t ------------------------------------------------------------- Added option "type=unconfined_t" to Sudo Rule "sysadmin_sudo" ------------------------------------------------------------- Rule name: sysadmin_sudo Enabled: TRUE Host category: all Command category: all RunAs User category: all RunAs Group category: all Sudo Option: type=unconfined_t Failed users/groups: cn=sysadmin,cn=groups,cn=accounts,dc=ipademo,dc=local
It's not expected to see the last 'Failed users/groups` error message.
No error is shown when the sudo rule is listed:
$ ipa sudorule-show sysadmin_sudo Rule name: sysadmin_sudo Enabled: TRUE Host category: all Command category: all RunAs User category: all RunAs Group category: all User Groups: sysadmin Sudo Option: type=unconfined_t
$ rpm -q freeipa-server freeipa-server-4.6.90.pre2-3.fc28.x86_64
Same bad output on sudorule-remove-option.
The problem is that the member is not translated from a DN into a type object (memberuser_host, memberuser_group, etc) so it is treated as a failure.
Metadata Update from @rcritten: - Issue assigned to rcritten
Metadata Update from @rcritten: - Issue priority set to: normal - Issue set to the milestone: FreeIPA 4.7.1
https://github.com/freeipa/freeipa/pull/2190
master:
ipa-4-7:
Metadata Update from @tdudlak: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1691939
Issue linked to Bugzilla: Bug 1691939
ipa-4-6:
Login to comment on this ticket.