SSSD / sssd

Clone

#1626 sssd caching not working as expected for selinux usermap contexts
Closed: Fixed None Opened 11 years ago by dpal.

Closed: Fixed
Reopen Issue

https://bugzilla.redhat.com/show_bug.cgi?id=874579 (Red Hat Enterprise Linux 6)

Description of problem:
if two user's selinux context is stored in sssd cache and last user's context
is default selinux context, then default selinux context is applied for first
user as well if IPA server not reachable.

Version-Release number of selected component (if applicable):

[root@rhel64client1 ipa-selinuxusermap-func]# rpm -qa|grep sssd
sssd-1.9.2-4.el6.x86_64
sssd-client-1.9.2-4.el6.x86_64
[root@rhel64client1 ipa-selinuxusermap-func]#

[root@rhel64master beaker]# rpm -qa|grep ipa-server
ipa-server-selinux-3.0.0-7.el6.x86_64
ipa-server-3.0.0-7.el6.x86_64
[root@rhel64master beaker]#

How reproducible:
Always

Steps to Reproduce:
(1)if two user's selinux context is stored in sssd cache and last user's
context is default selinux context, then default selinux context is applied for
first user as well if IPA server not reachable.

[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1
rhel64client1.testrelm.com id -Z
user1@rhel64client1.testrelm.com's password:
staff_u:staff_r:staff_t:s0-s0:c0.c1023
[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user2
rhel64client1.testrelm.com id -Z
user2@rhel64client1.testrelm.com's password:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@rhel64client1 ipa-selinuxusermap-func]#
[root@rhel64client1 ipa-selinuxusermap-func]# date
Mon Nov  5 07:40:39 EST 2012
[root@rhel64client1 ipa-selinuxusermap-func]#

Stopping IPA Server, so that sssd cache can be used.

[root@rhel64master beaker]# service ipa stop;date
Stopping CA Service
Stopping pki-ca:                                           [  OK  ]
Stopping HTTP Service
Stopping httpd:                                            [  OK  ]
Stopping MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Stopping DNS Service
Stopping named: .                                          [  OK  ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Stopping KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Directory Service
Shutting down dirsrv:
    PKI-IPA...                                             [  OK  ]
    TESTRELM-COM...                                        [  OK  ]
Mon Nov  5 07:41:31 EST 2012
[root@rhel64master beaker]#

[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1
rhel64client1.testrelm.com id -Z;date
user1@rhel64client1.testrelm.com's password:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Mon Nov  5 07:42:15 EST 2012
[root@rhel64client1 ipa-selinuxusermap-func]#

Here selinux context should be staff_u:staff_r:staff_t:s0-s0:c0.c1023

(2)SSSD cache works fine in case of single user.

[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1
rhel64client1.testrelm.com id -Z;date
user1@rhel64client1.testrelm.com's password:
staff_u:staff_r:staff_t:s0-s0:c0.c1023
Mon Nov  5 07:54:50 EST 2012
[root@rhel64client1 ipa-selinuxusermap-func]#

[root@rhel64master beaker]# service ipa stop;date
Stopping CA Service
Stopping pki-ca:                                           [  OK  ]
Stopping HTTP Service
Stopping httpd:                                            [  OK  ]
Stopping MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Stopping DNS Service
Stopping named: .                                          [  OK  ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Stopping KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Directory Service
Shutting down dirsrv:
    PKI-IPA...                                             [  OK  ]
    TESTRELM-COM...                                        [  OK  ]
Mon Nov  5 07:55:37 EST 2012
[root@rhel64master beaker]#

[root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1
rhel64client1.testrelm.com id -Z;date
user1@rhel64client1.testrelm.com's password:
staff_u:staff_r:staff_t:s0-s0:c0.c1023
Mon Nov  5 07:56:02 EST 2012
[root@rhel64client1 ipa-selinuxusermap-func]#

I can reproduce. Picking up.

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => jhrozek
status: new => assigned
testsupdated: => 0

Fields changed

patch: 0 => 1
selected: =>

resolution: => fixed
status: assigned => closed

Metadata Update from @dpal:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.9.4
7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2668

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata
None
None
None
major
defect
SSSD
None
None
0
1
https://bugzilla.redhat.com/show_bug.cgi?id=874579
0
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.