Document how to prevent invalid selinux context for default home directories in SSSD-AD direct integration. #5155

thalman · 2020-05-13T07:43:37Z

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1553784

Description of problem:

not sure if this is an sssd bug or selinux-context one. I want to document the
issue found in a customer case.

By default, sssd-ad sets the home directory path as /home/<AD domain>/<Unix
username>

With existing SELinux contexts, this ends up having the following:

*/home* have the *home_root_t* context (which is OK)
*/home/<AD domain>* have the *user_home_dir_t* context (which seems to be
wrong)
*/home/<AD domain>/<Unix username>* have the *user_home_t* context (which is
also wrong)

The expected behavior should be:

- /home/<AD Domain> should have *user_root_t* context
- /home/<AD Domain>/<User> should have *user_home_dir_t*
- an equivalency context should be created for /home/<AD Domain> based on /home
- /home/<AD Domain> should exist prior to mkhomedir running, or mkhomedir
should also have the *create* call in its allow list (allow oddjob_mkhomedir_t
home_root_t : dir { ... } ;)



Version-Release number of selected component (if applicable): RHEL7.4

The text was updated successfully, but these errors were encountered:

The default value of fallback_homedir expands into path, that is not expected by selinux. Generally not only selinux might be affected by this default value. This PR documents the issue and recommends further steps. Resolves: SSSD#5155

The default value of fallback_homedir expands into path, that is not expected by selinux. Generally not only selinux might be affected by this default value. This PR documents the issue and recommends further steps. Resolves: #5155 Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com> (cherry picked from commit d8d7438)

pbrezina · 2020-05-22T08:01:36Z

Pushed PR: #5156

master
- d8d7438 - man: Document invalid selinux context for homedirs
sssd-1-16
- adebc96 - man: Document invalid selinux context for homedirs

alexey-tikhonov · 2020-06-10T14:35:39Z

RHEL8 BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1845987

The default value of fallback_homedir expands into path, that is not expected by selinux. Generally not only selinux might be affected by this default value. This PR documents the issue and recommends further steps. Resolves: SSSD#5155 Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com> (cherry picked from commit d8d7438)

thalman mentioned this issue May 13, 2020

man: Document invalid selinux context for homedirs #5156

Closed

thalman added branch: sssd-1-16 Target also sssd-1-16 branch Waiting for review labels May 13, 2020

pbrezina added the Bugzilla label May 22, 2020

pbrezina closed this as completed in d8d7438 May 22, 2020

pbrezina added the Closed: Fixed Issue was closed as fixed. label May 22, 2020

alexey-tikhonov removed the Waiting for review label Jun 10, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Document how to prevent invalid selinux context for default home directories in SSSD-AD direct integration. #5155

Document how to prevent invalid selinux context for default home directories in SSSD-AD direct integration. #5155

thalman commented May 13, 2020

pbrezina commented May 22, 2020

alexey-tikhonov commented Jun 10, 2020

Document how to prevent invalid selinux context for default home directories in SSSD-AD direct integration. #5155

Document how to prevent invalid selinux context for default home directories in SSSD-AD direct integration. #5155

Comments

thalman commented May 13, 2020

pbrezina commented May 22, 2020

alexey-tikhonov commented Jun 10, 2020