Learn more about these different git repos.
Other Git URLs
https://bugzilla.redhat.com/show_bug.cgi?id=874579 (Red Hat Enterprise Linux 6)
Description of problem: if two user's selinux context is stored in sssd cache and last user's context is default selinux context, then default selinux context is applied for first user as well if IPA server not reachable. Version-Release number of selected component (if applicable): [root@rhel64client1 ipa-selinuxusermap-func]# rpm -qa|grep sssd sssd-1.9.2-4.el6.x86_64 sssd-client-1.9.2-4.el6.x86_64 [root@rhel64client1 ipa-selinuxusermap-func]# [root@rhel64master beaker]# rpm -qa|grep ipa-server ipa-server-selinux-3.0.0-7.el6.x86_64 ipa-server-3.0.0-7.el6.x86_64 [root@rhel64master beaker]# How reproducible: Always Steps to Reproduce: (1)if two user's selinux context is stored in sssd cache and last user's context is default selinux context, then default selinux context is applied for first user as well if IPA server not reachable. [root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1 rhel64client1.testrelm.com id -Z user1@rhel64client1.testrelm.com's password: staff_u:staff_r:staff_t:s0-s0:c0.c1023 [root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user2 rhel64client1.testrelm.com id -Z user2@rhel64client1.testrelm.com's password: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [root@rhel64client1 ipa-selinuxusermap-func]# [root@rhel64client1 ipa-selinuxusermap-func]# date Mon Nov 5 07:40:39 EST 2012 [root@rhel64client1 ipa-selinuxusermap-func]# Stopping IPA Server, so that sssd cache can be used. [root@rhel64master beaker]# service ipa stop;date Stopping CA Service Stopping pki-ca: [ OK ] Stopping HTTP Service Stopping httpd: [ OK ] Stopping MEMCACHE Service Stopping ipa_memcached: [ OK ] Stopping DNS Service Stopping named: . [ OK ] Stopping KPASSWD Service Stopping Kerberos 5 Admin Server: [ OK ] Stopping KDC Service Stopping Kerberos 5 KDC: [ OK ] Stopping Directory Service Shutting down dirsrv: PKI-IPA... [ OK ] TESTRELM-COM... [ OK ] Mon Nov 5 07:41:31 EST 2012 [root@rhel64master beaker]# [root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1 rhel64client1.testrelm.com id -Z;date user1@rhel64client1.testrelm.com's password: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Mon Nov 5 07:42:15 EST 2012 [root@rhel64client1 ipa-selinuxusermap-func]# Here selinux context should be staff_u:staff_r:staff_t:s0-s0:c0.c1023 (2)SSSD cache works fine in case of single user. [root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1 rhel64client1.testrelm.com id -Z;date user1@rhel64client1.testrelm.com's password: staff_u:staff_r:staff_t:s0-s0:c0.c1023 Mon Nov 5 07:54:50 EST 2012 [root@rhel64client1 ipa-selinuxusermap-func]# [root@rhel64master beaker]# service ipa stop;date Stopping CA Service Stopping pki-ca: [ OK ] Stopping HTTP Service Stopping httpd: [ OK ] Stopping MEMCACHE Service Stopping ipa_memcached: [ OK ] Stopping DNS Service Stopping named: . [ OK ] Stopping KPASSWD Service Stopping Kerberos 5 Admin Server: [ OK ] Stopping KDC Service Stopping Kerberos 5 KDC: [ OK ] Stopping Directory Service Shutting down dirsrv: PKI-IPA... [ OK ] TESTRELM-COM... [ OK ] Mon Nov 5 07:55:37 EST 2012 [root@rhel64master beaker]# [root@rhel64client1 ipa-selinuxusermap-func]# ssh -l user1 rhel64client1.testrelm.com id -Z;date user1@rhel64client1.testrelm.com's password: staff_u:staff_r:staff_t:s0-s0:c0.c1023 Mon Nov 5 07:56:02 EST 2012 [root@rhel64client1 ipa-selinuxusermap-func]#
I can reproduce. Picking up.
blockedby: => blocking: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => owner: somebody => jhrozek status: new => assigned testsupdated: => 0
Fields changed
patch: 0 => 1 selected: =>
resolution: => fixed status: assigned => closed
Metadata Update from @dpal: - Issue assigned to jhrozek - Issue set to the milestone: SSSD 1.9.4
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2668
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.