URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser
justin-stephenson commented: """ @lslebodn in my testing, the SELinux child process gets called twice during IPA client login. Before the patch the first call would error with similar `libsemanage` errors but the second would be successful. These are just cosmetic errors however, I could not reproduce any failed login problem. ``` [[sssd[selinux_child[3047]]]] [main] (0x0400): selinux_child started. [[sssd[selinux_child[3047]]]] [main] (0x2000): Running with effective IDs: [0][0]. [[sssd[selinux_child[3047]]]] [main] (0x2000): Running with real IDs [0][0]. [[sssd[selinux_child[3047]]]] [main] (0x0400): context initialized [[sssd[selinux_child[3047]]]] [unpack_buffer] (0x2000): seuser length: 12 [[sssd[selinux_child[3047]]]] [unpack_buffer] (0x2000): seuser: unconfined_u [[sssd[selinux_child[3047]]]] [unpack_buffer] (0x2000): mls_range length: 14 [[sssd[selinux_child[3047]]]] [unpack_buffer] (0x2000): mls_range: s0-s0:c0.c1023 [[sssd[selinux_child[3047]]]] [unpack_buffer] (0x2000): username length: 9 [[sssd[selinux_child[3047]]]] [unpack_buffer] (0x2000): username: testuser1 [[sssd[selinux_child[3047]]]] [main] (0x0400): performing selinux operations [[sssd[selinux_child[3047]]]] [libsemanage] (0x0020): could not query record value [[sssd[selinux_child[3047]]]] [get_seuser] (0x0020): Cannot query for testuser1 [[sssd[selinux_child[3047]]]] [seuser_needs_update] (0x2000): get_seuser: ret: 5 seuser: unknown mls: unknown [[sssd[selinux_child[3047]]]] [pack_buffer] (0x0400): result [0] [[sssd[selinux_child[3047]]]] [prepare_response] (0x4000): r->size: 4 [[sssd[selinux_child[3047]]]] [main] (0x0400): selinux_child completed successfully [[sssd[selinux_child[3063]]]] [main] (0x0400): selinux_child started. [[sssd[selinux_child[3063]]]] [main] (0x2000): Running with effective IDs: [0][0]. [[sssd[selinux_child[3063]]]] [main] (0x2000): Running with real IDs [0][0]. [[sssd[selinux_child[3063]]]] [main] (0x0400): context initialized [[sssd[selinux_child[3063]]]] [unpack_buffer] (0x2000): seuser length: 12 [[sssd[selinux_child[3063]]]] [unpack_buffer] (0x2000): seuser: unconfined_u [[sssd[selinux_child[3063]]]] [unpack_buffer] (0x2000): mls_range length: 14 [[sssd[selinux_child[3063]]]] [unpack_buffer] (0x2000): mls_range: s0-s0:c0.c1023 [[sssd[selinux_child[3063]]]] [unpack_buffer] (0x2000): username length: 9 [[sssd[selinux_child[3063]]]] [unpack_buffer] (0x2000): username: testuser1 [[sssd[selinux_child[3063]]]] [main] (0x0400): performing selinux operations [[sssd[selinux_child[3063]]]] [get_seuser] (0x0040): SELinux user for testuser1: unconfined_u [[sssd[selinux_child[3063]]]] [get_seuser] (0x0040): SELinux range for testuser1: s0-s0:c0.c1023 [[sssd[selinux_child[3063]]]] [seuser_needs_update] (0x2000): get_seuser: ret: 0 seuser: unconfined_u mls: s0-s0:c0.c1023 [[sssd[selinux_child[3063]]]] [pack_buffer] (0x0400): result [0] [[sssd[selinux_child[3063]]]] [prepare_response] (0x4000): r->size: 4 [[sssd[selinux_child[3063]]]] [main] (0x0400): selinux_child completed successfully ``` After the patch, both calls are successful and the `libsemanage` errors never happen. Do you have some reproducer instructions for the failures you mention? """ See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-291160431
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org