View Issue Details

IDProjectCategoryView StatusLast Update
0017724CentOS-8srptoolspublic2020-09-13 23:39
ReporterDark-Knight 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version8.2.2004 
Target VersionFixed in Version 
Summary0017724: FreeIPA SELinux user ROLE_ASSIGN keeps changing to default upon login
DescriptionUsing iDM web interface, I've assigned user "tstark" the selinux mapping of staff_u

grep tstark /var/log/audit/audit.log | grep -i role_assign

## This is my user using ssh

type=ROLE_ASSIGN msg=audit(1599957813.378:3237): pid=272202 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sssd_selinux_manager_t:s0 msg='op=login-sename,role,range acct="tstark" old-seuser=? old-role=? old-range=? new-seuser=unconfined_u new-role=system_r,unconfined_r new-range=s0-s0:c0.c1023 exe="/usr/libexec/sssd/selinux_child" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"

## This is an root change using semanage login --modify -s staff_u -r s0-s0:c0.c1023 tstark
## New selinux mapping is now staff_u

type=ROLE_ASSIGN msg=audit(1599958306.629:3449): pid=273596 uid=0 auid=1000 ses=11 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=login-sename,role,range acct="tstark" old-seuser=unconfined_u old-role=system_r,unconfined_r old-range=s0-s0:c0.c1023 new-seuser=staff_u new-role=staff_r,sysadm_r,unconfined_r new-range=c0.c1023 exe="/usr/libexec/platform-python3.6" hostname=? addr=? terminal=pts/0 res=success'UID="root" AUID="bwayne"

type=ROLE_ASSIGN msg=audit(1599958322.184:3461): pid=273631 uid=0 auid=1000 ses=11 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=login-sename,role,range acct="tstark" old-seuser=unconfined_u old-role=system_r,unconfined_r old-range=s0-s0:c0.c1023 new-seuser=staff_u new-role=staff_r,sysadm_r,unconfined_r new-range=c0.c1023 exe="/usr/libexec/platform-python3.6" hostname=? addr=? terminal=pts/0 res=success'UID="root" AUID="bwayne"

 
type=ROLE_ASSIGN msg=audit(1599958356.242:3462): pid=273644 uid=0 auid=1000 ses=11 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=login-sename,role acct="tstark" old-seuser=unconfined_u old-role=system_r,unconfined_r old-range=s0-s0:c0.c1023 new-seuser=staff_u new-role=staff_r,sysadm_r,unconfined_r new-range=s0-s0:c0.c1023 exe="/usr/libexec/platform-python3.6" hostname=? addr=? terminal=pts/0 res=success'UID="root" AUID="bwayne"

## User again logins via SSH and the selinux mapping reverts to the default unconfined user. The selinux_child is changing the role back. Looking at the IPA server configuration file, the default selinux mapping just happens to be the unconfined user.
 I suspect that the selinux_child is reading/querying the sssd underlying services and reapplying the default selinux user mapping instead of the defined selinux mapping.

type=ROLE_ASSIGN msg=audit(1599958380.416:3471): pid=273659 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sssd_selinux_manager_t:s0 msg='op=login-sename,role acct="tstark" old-seuser=staff_u old-role=staff_r,sysadm_r,unconfined_r old-range=s0-s0:c0.c1023 new-seuser=unconfined_u new-role=system_r,unconfined_r new-range=s0-s0:c0.c1023 exe="/usr/libexec/sssd/selinux_child" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"

## Another semanage login modification

type=ROLE_ASSIGN msg=audit(1599958412.566:3493): pid=273777 uid=0 auid=1000 ses=11 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=login-sename,role acct="tstark" old-seuser=unconfined_u old-role=system_r,unconfined_r old-range=s0-s0:c0.c1023 new-seuser=staff_u new-role=staff_r,sysadm_r,unconfined_r new-range=s0-s0:c0.c1023 exe="/usr/libexec/platform-python3.6" hostname=? addr=? terminal=pts/0 res=success'UID="root" AUID="bwayne"

## Another ssh session started and completed. Mapping changed to the default.

type=ROLE_ASSIGN msg=audit(1600000127.475:3860): pid=309620 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sssd_selinux_manager_t:s0 msg='op=login-sename,role acct="tstark" old-seuser=staff_u old-role=staff_r,sysadm_r,unconfined_r old-range=s0-s0:c0.c1023 new-seuser=unconfined_u new-role=system_r,unconfined_r new-range=s0-s0:c0.c1023 exe="/usr/libexec/sssd/selinux_child" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"

type=ROLE_ASSIGN msg=audit(1600004514.511:3964): pid=312667 uid=0 auid=1000 ses=37 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=login-sename,role acct="tstark" old-seuser=unconfined_u old-role=system_r,unconfined_r old-range=s0-s0:c0.c1023 new-seuser=staff_u new-role=staff_r,sysadm_r,unconfined_r new-range=s0-s0:c0.c1023 exe="/usr/libexec/platform-python3.6" hostname=? addr=? terminal=pts/0 res=success'UID="root" AUID="bwayne"

type=ROLE_ASSIGN msg=audit(1600004574.868:3973): pid=312697 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sssd_selinux_manager_t:s0 msg='op=login-sename,role acct="tstark" old-seuser=staff_u old-role=staff_r,sysadm_r,unconfined_r old-range=s0-s0:c0.c1023 new-seuser=unconfined_u new-role=system_r,unconfined_r new-range=s0-s0:c0.c1023 exe="/usr/libexec/sssd/selinux_child" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"

Anyway, outside of the various log files, I'm not exactly sure how to debug the problem and I'm looking for some guidance.
Tagsselinux, sssd

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2020-09-13 23:39 Dark-Knight New Issue
2020-09-13 23:39 Dark-Knight Tag Attached: selinux
2020-09-13 23:39 Dark-Knight Tag Attached: sssd