freeipa

Clone
Source Code
GIT

#3224 Default SELinuxusermaporder needs to mapped with default selinux users list
Closed: Fixed None Opened 11 years ago by dpal.

Closed: Fixed
Reopen Issue

https://bugzilla.redhat.com/show_bug.cgi?id=870053 (Red Hat Enterprise Linux 6)

Description of problem:
i was expecting output of "ssh -l user host id -Z" to be
"user_u:user_r:user_t:s0-s0:c0.c1023" but following is returned only
user_u:user_r:user_t:s0

Version-Release number of selected component (if applicable):

[root@rhel64master ~]# rpm -qa|grep ipa-*|sort
ipa-admintools-3.0.0-105.20121022T2338zgit3488770.el6.x86_64
ipa-client-3.0.0-105.20121022T2338zgit3488770.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.20121022T2247z.el6.noarch
ipa-pki-common-theme-9.0.3-7.20121022T2247z.el6.noarch
ipa-python-3.0.0-105.20121022T2338zgit3488770.el6.x86_64
ipa-server-3.0.0-105.20121022T2338zgit3488770.el6.x86_64
ipa-server-selinux-3.0.0-105.20121022T2338zgit3488770.el6.x86_64
libipa_hbac-1.9.90-0.20121022T2317zgit66318df.el6.x86_64
libipa_hbac-python-1.9.90-0.20121022T2317zgit66318df.el6.x86_64
[root@rhel64master ~]#

How reproducible:
Always

Steps to Reproduce:
1.Add a selinuxusermap rule for user_u

[root@rhel64master ~]# ipa selinuxusermap-show selinuxusermap1 --all
  dn: ipaUniqueID=217bad58-1d07-11e2-b007-5254005d451f,cn=usermap,cn=selinux,dc
=testrelm,dc=com
  Rule name: selinuxusermap1
  SELinux User: user_u:s0-s0:c0.c1023
  HBAC Rule: rule1
  Enabled: TRUE
  ipauniqueid: 217bad58-1d07-11e2-b007-5254005d451f
  objectclass: ipaassociation, ipaselinuxusermap
[root@rhel64master ~]#

2.Run following command to get selinux context assigned

[root@rhel64master ~]# ssh -l user1 rhel64master.testrelm.com id -Z
user_u:user_r:user_t:s0
[root@rhel64master ~]#

3.Here i see selinux context "user_u:user_r:user_t:s0" but i was expecting
"user_u:user_r:user_t:s0-s0:c0.c1023" because default selinuxusermaporder has
it in the ordering.

[root@rhel64master ~]# ipa config-show|grep order
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:
s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
[root@rhel64master ~]#

4.This (user_u:user_r:user_t:s0) we are getting because of conflict with
default selinux user list on target system.

[root@rhel64master ~]# semanage user -l

                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range                      SELinux
Roles

git_shell_u     user       s0         s0
git_shell_r
guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r
sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r
sysadm_r system_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r
unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r
unconfined_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r
[root@rhel64master ~]#

Expected result:
Default selinuxusermaporder needs to be mapped with default selinux user list.

Only user_u needed to be changed.

master: 7c2eb48

ipa-3-0: 56beef9

Metadata Update from @dpal:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 3.0.1 (bug fixing)
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=870053
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.