People,
I've been trying to debug a SELinux issue related to the domain resolution order.
Basically, if there's no domain_reoslution_order set: [root@client1 vagrant]# ssh -l admin localhost Password: Last login: Mon May 21 19:00:06 2018 from ::1 [admin@client1 ~]$ id -Z staff_u:staff_r:staff_t:s0-s0:c0.c1023
But, if domain_resolution_order is set: [root@client1 vagrant]# ssh -l admin localhost Password: Last login: Mon May 21 19:30:45 2018 from ::1 [admin@ipa.example@client1 ~]$ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
First thing that came to my mind was to take a look at selinux_child.logs, but it didn't give me any clue as the logs are exactly the same for both cases:
No domain_resolution_order set: (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] [main] (0x0400): selinux_child started. (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] [main] (0x2000): Running with real IDs [0][0]. (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] [main] (0x0400): context initialized (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] [unpack_buffer] (0x2000): seuser length: 7 (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] [unpack_buffer] (0x2000): seuser: staff_u (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] [unpack_buffer] (0x2000): mls_range length: 14 (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] [unpack_buffer] (0x2000): mls_range: s0-s0:c0.c1023 (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] [unpack_buffer] (0x2000): username length: 5 (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] [unpack_buffer] (0x2000): username: admin (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] [main] (0x0400): performing selinux operations (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] [seuser_needs_update] (0x2000): getseuserbyname: ret: 0 seuser: staff_u mls: s0-s0:c0.c1023 (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] [pack_buffer] (0x0400): result [0] (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] [prepare_response] (0x4000): r->size: 4 (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] [main] (0x0400): selinux_child completed successfully
domain_resolution_order set: (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] [main] (0x0400): selinux_child started. (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] [main] (0x2000): Running with real IDs [0][0]. (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] [main] (0x0400): context initialized (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] [unpack_buffer] (0x2000): seuser length: 7 (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] [unpack_buffer] (0x2000): seuser: staff_u (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] [unpack_buffer] (0x2000): mls_range length: 14 (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] [unpack_buffer] (0x2000): mls_range: s0-s0:c0.c1023 (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] [unpack_buffer] (0x2000): username length: 5 (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] [unpack_buffer] (0x2000): username: admin (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] [main] (0x0400): performing selinux operations (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] [seuser_needs_update] (0x2000): getseuserbyname: ret: 0 seuser: staff_u mls: s0-s0:c0.c1023 (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] [pack_buffer] (0x0400): result [0] (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] [prepare_response] (0x4000): r->size: 4 (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] [main] (0x0400): selinux_child completed successfully
Taking a look at the IPA provider, logs also do like the very same: https://paste.fedoraproject.org/paste/FKhvxyj3clzXuE5C7tMGhw (pastebin is huge!)
Some tip on which logs I could take a look and/or part of the code I could instrument in order to, at least, get some directions?
Thanks in advance, -- Fabiano FidĂȘncio