Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSSD Does not cache SELinux map from FreeIPA correctly #3306

Closed
sssd-bot opened this issue May 2, 2020 · 0 comments
Closed

SSSD Does not cache SELinux map from FreeIPA correctly #3306

sssd-bot opened this issue May 2, 2020 · 0 comments
Assignees
@jhrozek
Labels
Bugzilla Closed: Fixed Issue was closed as fixed.

Comments

@sssd-bot
Copy link

sssd-bot commented May 2, 2020

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/2264

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1072067

+++ This bug was initially created as a clone of Bug #1071578 +++

Description of problem:
FreeIPA allows the user to create a set of SELinux user maps. These are not
cached properly, and as a result for a user with a domain joined system such as
a laptop, when the system is started without access to the domain network, your
SELinux permissions are reduced causing a lack in system functionality until
you rejoin the domain network and login / out.

Version-Release number of selected component (if applicable):
1.11.4-1

How reproducible:
Always

Steps to Reproduce:
1. Join a laptop to a freeipa domain.
2. In freeipa, create a default selinux user map with a low label, ie
user_u:user_r:user_t:s0. Then for the laptop system create a hbac rule for the
user, and the laptop. Then create an selinux map for that hbac rule such as
staff_u:staff_r:staff_t:s0:c0.c1023. Ensure that when you login to the laptop
on the network, you get the staff role.
3. Disconnect all network devices on the laptop, reboot and login.

Actual results:
id -Z is user_u:user_r:user_t:s0

Expected results:
Since a login has already occured the label of
staff_u:staff_r:staff_t:s0:c0.c1023 should be cached, and given to the user.

Additional info:
Given the nature of this bug, where a user may end up mislabelled, either in a
higher or lower context depending on the setup of the freeipa selinux defaults,
this may pose a security risk.

--- Additional comment from Jakub Hrozek on 2014-03-03 11:29:14 EST ---

Thank you for the bug report. I reproduced your problem and I'm working on a
fix.

Comments

Comment from jhrozek at 2014-03-04 16:56:13

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
milestone: NEEDS_TRIAGE => SSSD 1.11.5
owner: somebody => jhrozek
patch: 0 => 1
priority: major => critical
review: True => 0
selected: =>
status: new => assigned
testsupdated: => 0

Comment from jhrozek at 2014-03-05 13:20:24

resolution: => fixed
status: assigned => closed

Comment from jhrozek at 2017-02-24 14:47:18

Metadata Update from @jhrozek:

  • Issue assigned to jhrozek
  • Issue set to the milestone: SSSD 1.11.5
@sssd-bot sssd-bot added Bugzilla Closed: Fixed Issue was closed as fixed. labels May 2, 2020
@sssd-bot sssd-bot closed this as completed May 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jhrozek jhrozek

Labels
Bugzilla Closed: Fixed Issue was closed as fixed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jhrozek @sssd-bot