On Mon, May 21, 2018 at 10:32 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > > >> On 21 May 2018, at 21:39, Fabiano Fidêncio <fiden...@redhat.com> wrote: >> >> People, >> >> I've been trying to debug a SELinux issue related to the domain >> resolution order. >> >> Basically, if there's no domain_reoslution_order set: >> [root@client1 vagrant]# ssh -l admin localhost >> Password: >> Last login: Mon May 21 19:00:06 2018 from ::1 >> [admin@client1 ~]$ id -Z >> staff_u:staff_r:staff_t:s0-s0:c0.c1023 >> >> But, if domain_resolution_order is set: >> [root@client1 vagrant]# ssh -l admin localhost >> Password: >> Last login: Mon May 21 19:30:45 2018 from ::1 >> [admin@ipa.example@client1 ~]$ id -Z >> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > Since sssd calls into libsemanage, then I would start with looking at the > output of “semanage login -l”.
You gave me this tip before, I did test it but I forgot to add details about it :-/ The output is basically the same with or without domain_resolution_order set: [root@client1 x86_64]# cat /etc/sssd/sssd.conf | grep domain_resolution_order domain_resolution_order = foo [root@client1 x86_64]# systemctl restart sssd [root@client1 x86_64]# semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * admin staff_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * [root@client1 x86_64]# vim /etc/sssd/sssd.conf [root@client1 x86_64]# cat /etc/sssd/sssd.conf | grep domain_resolution_order #domain_resolution_order = foo [root@client1 x86_64]# systemctl restart sssd [root@client1 x86_64]# semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * admin staff_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * > Is the context after selinux_child runs to completion set for admin or > admin@ipa.example? In the selinux_child.log I can only see: [[sssd[selinux_child[18149]]]] [unpack_buffer] (0x2000): username: admin And it happens for both cases, with or without domain_resolution_order being used. > Maybe libsemanage canonicalizes the name or UID with getpnam/uid and > therefore uses the qualified name but because the provider has no sense of > the domain_resolution_order, it calls sss_set_seuser() with the shortname? That's a good question. sss_set_seuser() hasn't been called, at all. > > Looking at whether we call sss_set_seuser() with the correct parameters might > give some hint as well. > >> >> First thing that came to my mind was to take a look at >> selinux_child.logs, but it didn't give me any clue as the logs are >> exactly the same for both cases: >> >> No domain_resolution_order set: >> (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] [main] >> (0x0400): selinux_child started. >> (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] [main] >> (0x2000): Running with effective IDs: [0][0]. >> (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] [main] >> (0x2000): Running with real IDs [0][0]. >> (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] [main] >> (0x0400): context initialized >> (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] >> [unpack_buffer] (0x2000): seuser length: 7 >> (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] >> [unpack_buffer] (0x2000): seuser: staff_u >> (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] >> [unpack_buffer] (0x2000): mls_range length: 14 >> (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] >> [unpack_buffer] (0x2000): mls_range: s0-s0:c0.c1023 >> (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] >> [unpack_buffer] (0x2000): username length: 5 >> (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] >> [unpack_buffer] (0x2000): username: admin >> (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] [main] >> (0x0400): performing selinux operations >> (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] >> [seuser_needs_update] (0x2000): getseuserbyname: ret: 0 seuser: >> staff_u mls: s0-s0:c0.c1023 >> (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] >> [pack_buffer] (0x0400): result [0] >> (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] >> [prepare_response] (0x4000): r->size: 4 >> (Mon May 21 19:30:44 2018) [[sssd[selinux_child[23351]]]] [main] >> (0x0400): selinux_child completed successfully >> >> domain_resolution_order set: >> (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] [main] >> (0x0400): selinux_child started. >> (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] [main] >> (0x2000): Running with effective IDs: [0][0]. >> (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] [main] >> (0x2000): Running with real IDs [0][0]. >> (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] [main] >> (0x0400): context initialized >> (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] >> [unpack_buffer] (0x2000): seuser length: 7 >> (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] >> [unpack_buffer] (0x2000): seuser: staff_u >> (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] >> [unpack_buffer] (0x2000): mls_range length: 14 >> (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] >> [unpack_buffer] (0x2000): mls_range: s0-s0:c0.c1023 >> (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] >> [unpack_buffer] (0x2000): username length: 5 >> (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] >> [unpack_buffer] (0x2000): username: admin >> (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] [main] >> (0x0400): performing selinux operations >> (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] >> [seuser_needs_update] (0x2000): getseuserbyname: ret: 0 seuser: >> staff_u mls: s0-s0:c0.c1023 >> (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] >> [pack_buffer] (0x0400): result [0] >> (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] >> [prepare_response] (0x4000): r->size: 4 >> (Mon May 21 19:31:36 2018) [[sssd[selinux_child[23398]]]] [main] >> (0x0400): selinux_child completed successfully >> >> Taking a look at the IPA provider, logs also do like the very same: >> https://paste.fedoraproject.org/paste/FKhvxyj3clzXuE5C7tMGhw (pastebin >> is huge!) >> >> Some tip on which logs I could take a look and/or part of the code I >> could instrument in order to, at least, get some directions? >> >> Thanks in advance, >> -- >> Fabiano Fidêncio >> _______________________________________________ >> sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org >> To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/2G5K5WWNZZHHOXTIWF62ETMA4QA6ZJGW/ > _______________________________________________ > sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org > To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/6QGWQTMVLNJ7APF5WXMVYZG35EM4EPTY/ _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/BNSBQ2DKFOGFNYRZFN2PO4FJ3IASHMWK/