-
Bug
-
Resolution: Duplicate
-
Normal
-
None
-
rhel-8.9.0
-
None
-
Moderate
-
sst_idm_sssd
-
ssg_idm
-
0
-
False
-
-
None
-
Red Hat Enterprise Linux
-
None
-
None
-
None
-
-
x86_64
-
None
What were you trying to do that didn't work?
When we run a ipa-client-install --uninstall with SE Linux enforced, we cannot login using ssh keys or as root via console after reboot.
An autorelabel is required to restore the label of /etc/pam.d /autoselect config.
Please provide the package NVR for which bug is seen:
ipa-client-common-4.9.12-9.
How reproducible:
always
Steps to reproduce
- enable selinux
- ipa-client-install --uninstall
- login fails
Expected results
login successful / restored files with correct SELinux labels
Actual results
files are labeled with var_lib_t:
# ls -lZ /etc/authselect/* -rw-r--r--. 1 root root system_u:object_r:var_lib_t:s0 38 Mar 11 10:01 /etc/authselect/authselect.conf -rw-r--r--. 1 root root system_u:object_r:var_lib_t:s0 194 Mar 11 10:01 /etc/authselect/dconf-db -rw-r--r--. 1 root root system_u:object_r:var_lib_t:s0 205 Mar 11 10:01 /etc/authselect/dconf-locks -rw-r--r--. 1 root root system_u:object_r:var_lib_t:s0 140 Mar 11 10:01 /etc/authselect/fingerprint-auth -rw-r--r--. 1 root root system_u:object_r:var_lib_t:s0 2963 Mar 11 10:01 /etc/authselect/nsswitch.conf -rw-r--r--. 1 root root system_u:object_r:var_lib_t:s0 1164 Mar 11 10:01 /etc/authselect/password-auth -rw-r--r--. 1 root root system_u:object_r:var_lib_t:s0 399 Mar 11 10:01 /etc/authselect/postlogin -rw-r--r--. 1 root root system_u:object_r:var_lib_t:s0 140 Mar 11 10:01 /etc/authselect/smartcard-auth -rw-r--r--. 1 root root system_u:object_r:var_lib_t:s0 1164 Mar 11 10:01 /etc/authselect/system-auth -rw-r--r--. 1 root root system_u:object_r:etc_t:s0 2120 Feb 25 17:44 /etc/authselect/user-nsswitch.conf
This is due to the restore from backup files from /var:
/var/lib/authselect/backups/pre_ipaclient_20240306090818/authselect.conf
From the strace:
ipaclient get the label of the backup file (var_lib_t):
2536 [unconfined_t] 11:35:04.533239 getxattr("/var/lib/authselect/backups/pre_ipaclient_20240306090818/authselect.conf" [var_lib_t], "security.selinux", "unconfined_u:object_r:var_lib_t:"..., 255) = 35 <0.000027> ... 2536 [unconfined_t] 11:35:04.538494 read(3</var/lib/authselect/backups/pre_ipaclient_20240306090818/authselect.conf> [var_lib_t], "custom/password-policy\nwith-mkho"..., 4096) = 52 <0.000779>
And change its fsattr to write files with this label
2536 [unconfined_t] 11:35:04.534275 write(3</proc/2536/task/2536/attr/fscreate> [unconfined_t], "unconfined_u:object_r:var_lib_t:"..., 35) = 35 <0.000244>
So new restored file is labeled var_lib_t:
2536 [unconfined_t] 11:35:04.535096 openat(AT_FDCWD</root>, "/etc/authselect/authselect.conf.KxINn5", O_RDWR|O_CREAT|O_EXCL, 0600) = 3</etc/authselect/authselect.conf.KxINn5> [var_lib_t!!etc_t] <0.000229>
2 ways to solve it:
- ipaclient should set the expected label from the selinux policy during the restore
- the backuped files should have the same label as the source files, to avoid any unexpected access/modification from app having access to var_lib_t but not etc_t
- duplicates
-
RHEL-3539 SELinux File context are not showing correct information as expected - authselect backup files with etc_t but dir expects var_lib_t
- Closed