Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-28857

ipa-client-install --uninstall restore the previous configuration with wrong labels

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Normal Normal
    • None
    • rhel-8.9.0
    • authselect
    • None
    • Moderate
    • rhel-sst-idm-sssd
    • ssg_idm
    • 0
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • x86_64
    • None

      What were you trying to do that didn't work?

      When we run a ipa-client-install --uninstall with SE Linux enforced, we cannot login using ssh keys or as root via console after reboot.

      An autorelabel is required to restore the label of /etc/pam.d /autoselect config.

      Please provide the package NVR for which bug is seen:

      ipa-client-common-4.9.12-9.

      How reproducible:

      always

      Steps to reproduce

      1. enable selinux
      2. ipa-client-install --uninstall 
      3. login fails
      4.  

      Expected results

      login successful / restored files with correct SELinux labels

      Actual results

      files are labeled with var_lib_t:

       

      # ls -lZ /etc/authselect/*
      -rw-r--r--. 1 root root system_u:object_r:var_lib_t:s0 38 Mar 11 10:01 /etc/authselect/authselect.conf -rw-r--r--. 1 root root system_u:object_r:var_lib_t:s0 194 Mar 11 10:01 /etc/authselect/dconf-db -rw-r--r--. 1 root root system_u:object_r:var_lib_t:s0 205 Mar 11 10:01 /etc/authselect/dconf-locks -rw-r--r--. 1 root root system_u:object_r:var_lib_t:s0 140 Mar 11 10:01 /etc/authselect/fingerprint-auth -rw-r--r--. 1 root root system_u:object_r:var_lib_t:s0 2963 Mar 11 10:01 /etc/authselect/nsswitch.conf -rw-r--r--. 1 root root system_u:object_r:var_lib_t:s0 1164 Mar 11 10:01 /etc/authselect/password-auth -rw-r--r--. 1 root root system_u:object_r:var_lib_t:s0 399 Mar 11 10:01 /etc/authselect/postlogin -rw-r--r--. 1 root root system_u:object_r:var_lib_t:s0 140 Mar 11 10:01 /etc/authselect/smartcard-auth -rw-r--r--. 1 root root system_u:object_r:var_lib_t:s0 1164 Mar 11 10:01 /etc/authselect/system-auth -rw-r--r--. 1 root root system_u:object_r:etc_t:s0 2120 Feb 25 17:44 /etc/authselect/user-nsswitch.conf

      This is due to the restore from backup files from /var:

      /var/lib/authselect/backups/pre_ipaclient_20240306090818/authselect.conf

      From the strace:

      ipaclient get the label of the backup file (var_lib_t):

       

      2536 [unconfined_t] 11:35:04.533239 getxattr("/var/lib/authselect/backups/pre_ipaclient_20240306090818/authselect.conf" [var_lib_t], "security.selinux", "unconfined_u:object_r:var_lib_t:"..., 255) = 35 <0.000027> ... 2536 [unconfined_t] 11:35:04.538494 read(3</var/lib/authselect/backups/pre_ipaclient_20240306090818/authselect.conf> [var_lib_t], "custom/password-policy\nwith-mkho"..., 4096) = 52 <0.000779>

      And change its fsattr to write files with this label

      2536 [unconfined_t] 11:35:04.534275 write(3</proc/2536/task/2536/attr/fscreate> [unconfined_t], "unconfined_u:object_r:var_lib_t:"..., 35) = 35 <0.000244>

      So new restored file is labeled var_lib_t:

      2536 [unconfined_t] 11:35:04.535096 openat(AT_FDCWD</root>, "/etc/authselect/authselect.conf.KxINn5", O_RDWR|O_CREAT|O_EXCL, 0600) = 3</etc/authselect/authselect.conf.KxINn5> [var_lib_t!!etc_t] <0.000229>

       

      2 ways to solve it:

      • ipaclient should set the expected label from the selinux policy during the restore
      • the backuped files should have the same label as the source files, to avoid any unexpected access/modification from app having access to var_lib_t but not etc_t

              thalman@redhat.com Tomas Halman
              rhn-support-bwelterl Benoit Welterlen
              Pavel Brezina Pavel Brezina
              Dan Lavu Dan Lavu
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: