URL: https://github.com/SSSD/sssd/pull/189 Author: justin-stephenson Title: #189: SELINUX: Use getseuserbyname to get IPA seuser Action: opened
PR body: """ Retrieve SELinux username utilizing libselinux API as a more reliable method than libsemanage calls and remove get_seuser function which is no longer needed.
Resolves: https://pagure.io/SSSD/sssd/issue/3308
Tested on IPA client with: - running `semanage login -d testuser` - login as **testuser** and check `/var/log/sssd/selinux_child.log` """
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/189/head:pr189 git checkout pr189
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser
centos-ci commented: """ Can one of the admins verify this patch? """
See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-285506515
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser
centos-ci commented: """ Can one of the admins verify this patch? """
See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-285506518
URL: https://github.com/SSSD/sssd/pull/189 Author: justin-stephenson Title: #189: SELINUX: Use getseuserbyname to get IPA seuser Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/189/head:pr189 git checkout pr189
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser
jhrozek commented: """ ok to test """
See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-285601383
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser
lslebodn commented: """ @justin-stephenson are you able to reproduce bug with `semanage login -d testuser` Because I used a little bit complicated test-case and I still can reproduce bug from comment https://pagure.io/SSSD/sssd/issue/3308#comment-220396
``` (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578]]]] [main] (0x2000): Running with real IDs [0][0]. (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578]]]] [main] (0x0400): context initialized (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578]]]] [unpack_buffer] (0x2000): seuser length: 12 (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578]]]] [unpack_buffer] (0x2000): seuser: unconfined_u (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578]]]] [unpack_buffer] (0x2000): mls_range length: 14 (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578]]]] [unpack_buffer] (0x2000): mls_range: s0-s0:c0.c1023 (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578]]]] [unpack_buffer] (0x2000): username length: 5 (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578]]]] [unpack_buffer] (0x2000): username: admin (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578]]]] [main] (0x0400): performing selinux operations (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578]]]] [seuser_needs_update] (0x2000): getseuserbyname: ret: 0 seuser: admin mls: unknown (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578]]]] [sss_semanage_init] (0x0020): SELinux policy not managed (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578]]]] [set_seuser] (0x0020): Cannot init SELinux management (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578]]]] [main] (0x0020): Cannot set SELinux login context. (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578]]]] [main] (0x0020): selinux_child failed! ``` """
See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-291138493
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser
justin-stephenson commented: """ @lslebodn in my testing, the SELinux child process gets called twice during IPA client login. Before the patch the first call would error with similar `libsemanage` errors but the second would be successful. These are just cosmetic errors however, I could not reproduce any failed login problem.
``` [[sssd[selinux_child[3047]]]] [main] (0x0400): selinux_child started. [[sssd[selinux_child[3047]]]] [main] (0x2000): Running with effective IDs: [0][0]. [[sssd[selinux_child[3047]]]] [main] (0x2000): Running with real IDs [0][0]. [[sssd[selinux_child[3047]]]] [main] (0x0400): context initialized [[sssd[selinux_child[3047]]]] [unpack_buffer] (0x2000): seuser length: 12 [[sssd[selinux_child[3047]]]] [unpack_buffer] (0x2000): seuser: unconfined_u [[sssd[selinux_child[3047]]]] [unpack_buffer] (0x2000): mls_range length: 14 [[sssd[selinux_child[3047]]]] [unpack_buffer] (0x2000): mls_range: s0-s0:c0.c1023 [[sssd[selinux_child[3047]]]] [unpack_buffer] (0x2000): username length: 9 [[sssd[selinux_child[3047]]]] [unpack_buffer] (0x2000): username: testuser1 [[sssd[selinux_child[3047]]]] [main] (0x0400): performing selinux operations [[sssd[selinux_child[3047]]]] [libsemanage] (0x0020): could not query record value [[sssd[selinux_child[3047]]]] [get_seuser] (0x0020): Cannot query for testuser1 [[sssd[selinux_child[3047]]]] [seuser_needs_update] (0x2000): get_seuser: ret: 5 seuser: unknown mls: unknown [[sssd[selinux_child[3047]]]] [pack_buffer] (0x0400): result [0] [[sssd[selinux_child[3047]]]] [prepare_response] (0x4000): r->size: 4 [[sssd[selinux_child[3047]]]] [main] (0x0400): selinux_child completed successfully [[sssd[selinux_child[3063]]]] [main] (0x0400): selinux_child started. [[sssd[selinux_child[3063]]]] [main] (0x2000): Running with effective IDs: [0][0]. [[sssd[selinux_child[3063]]]] [main] (0x2000): Running with real IDs [0][0]. [[sssd[selinux_child[3063]]]] [main] (0x0400): context initialized [[sssd[selinux_child[3063]]]] [unpack_buffer] (0x2000): seuser length: 12 [[sssd[selinux_child[3063]]]] [unpack_buffer] (0x2000): seuser: unconfined_u [[sssd[selinux_child[3063]]]] [unpack_buffer] (0x2000): mls_range length: 14 [[sssd[selinux_child[3063]]]] [unpack_buffer] (0x2000): mls_range: s0-s0:c0.c1023 [[sssd[selinux_child[3063]]]] [unpack_buffer] (0x2000): username length: 9 [[sssd[selinux_child[3063]]]] [unpack_buffer] (0x2000): username: testuser1 [[sssd[selinux_child[3063]]]] [main] (0x0400): performing selinux operations [[sssd[selinux_child[3063]]]] [get_seuser] (0x0040): SELinux user for testuser1: unconfined_u [[sssd[selinux_child[3063]]]] [get_seuser] (0x0040): SELinux range for testuser1: s0-s0:c0.c1023 [[sssd[selinux_child[3063]]]] [seuser_needs_update] (0x2000): get_seuser: ret: 0 seuser: unconfined_u mls: s0-s0:c0.c1023 [[sssd[selinux_child[3063]]]] [pack_buffer] (0x0400): result [0] [[sssd[selinux_child[3063]]]] [prepare_response] (0x4000): r->size: 4 [[sssd[selinux_child[3063]]]] [main] (0x0400): selinux_child completed successfully ```
After the patch, both calls are successful and the `libsemanage` errors never happen. Do you have some reproducer instructions for the failures you mention?
"""
See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-291160431
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser
lslebodn commented: """ @justin-stephenson If you have a time could you test patch #165 with your use-case. If you are busy then I will have a time tomorrow. """
See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-291192342
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser
justin-stephenson commented: """ @lslebodn I tested the patch in #165 and it successfully resolves the original sssd errors `[libsemanage] (0x0020): could not query record value` however I don't know if it would solve the issue reported downstream BZ 1412717, this was the main reason I submitted this PR.
I could also modify this PR to not touch **get_seuser()** code and only call **getseuserbyname()** if **get_seuser()** fails. """
See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-291228133
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser
fidencio commented: """ @lslebodn, @justin-stephenson: What's the state of this PR? Is this still valid? In case it's still valid, @justin-stephenson, may I ask you to rebase the patches based on our git master as currently they have some conflicts? """
See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-318268525
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser
justin-stephenson commented: """ @fidencio I don't really know if this ticket is required anymore to be honest, it may not be required after https://pagure.io/SSSD/sssd/issue/3297 was fixed.
I don't think any user is waiting for a fix, I will go ahead and close this PR and I will leave the decision to close upstream ticket 3308 to your team. """
See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-318719796
URL: https://github.com/SSSD/sssd/pull/189 Author: justin-stephenson Title: #189: SELINUX: Use getseuserbyname to get IPA seuser Action: closed
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/189/head:pr189 git checkout pr189
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser
jhrozek commented: """ Well, not so fast :) @mzidek-rh don't we want to use the libsemanage API anyway? Didn't this solve some real world bug? """
See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-318923875
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser
mzidek-rh commented: """ @jhrozek this patch replaces function from libsemanage with function from libselinux... The commit message says that libselinux is recommended over libsemanage by SELinux developers. If that is the case, I think it makes sense to use the preferred version. So I would not close this PR. Also this patch removes more code than it adds, which is welcomed. """
See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-319019703
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser
mzidek-rh commented: """ By the way in this issue: https://pagure.io/SSSD/sssd/issue/3308
it states that Petr Lautrbach recommended to use the libselinux function. I think that is reason enough to reopen this PR, even though it does not have high priority, because the more important selinux bug we had was resolved differently. (@justin-stephenson, you already deleted the branch so I can not reopen it, would you mind creating the branch again?) """
See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-319023093
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser
justin-stephenson commented: """ @mzidek-rh I pushed my local copy of the branch to my fork but a new PR was created(sorry for that).
I rebased the patch and tested it again to be sure it still works.
New PR is https://github.com/SSSD/sssd/pull/342 """
See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-319143686
sssd-devel@lists.fedorahosted.org
-
centos-ci -
fidencio
-
jhrozek
-
justin-stephenson
-
lslebodn
-
mzidek-rh