[Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

[Lachlan Musicman]

Hey,

While hunting this sssd/hbac/AD user problem, I noticed in the
selinux_child.log a lot of errors that look like this:

(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage]
(0x0020): could not parse seuser record
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage]
(0x0020): could not cache file database
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage]
(0x0020): could not enter read-only section
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [get_seuser]
(0x0020): Cannot query for galaxy
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage]
(0x0020): expected character ':', but found 'j'
(/etc/selinux/targeted/modules/tmp//seusers.final: 10):
ellul ja...@petermac.org.au:unconfined_u:s0-s0:c0.c1023
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage]
(0x0020): could not parse seuser record
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage]
(0x0020): could not cache file database
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage]
(0x0020): could not enter read-only section
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [set_seuser]
(0x0020): Cannot verify the SELinux user
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [main] (0x0020):
Cannot set SELinux login context.
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [main] (0x0020):
selinux_child failed!
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0400):
selinux_child started.
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0400):
context initialized
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0400):
performing selinux operations
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage]
(0x0020): expected character ':', but found 'j'
(/etc/selinux/targeted/modules/active//seusers.final: 10):
ellul ja...@petermac.org.au:unconfined_u:s0-s0:c0.c1023
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage]
(0x0020): could not parse seuser record
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage]
(0x0020): could not cache file database
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage]
(0x0020): could not enter read-only section
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [get_seuser]
(0x0020): Cannot query for simpsonlach...@petermac.org.au
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage]
(0x0020): expected character ':', but found 'j'
(/etc/selinux/targeted/modules/tmp//seusers.final: 10):
ellul ja...@petermac.org.au:unconfined_u:s0-s0:c0.c1023
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage]
(0x0020): could not parse seuser record
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage]
(0x0020): could not cache file database
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage]
(0x0020): could not enter read-only section
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [set_seuser]
(0x0020): Cannot verify the SELinux user
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0020):
Cannot set SELinux login context.
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0020):
selinux_child failed!
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [main] (0x0400):
selinux_child started.
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [main] (0x0400):
context initialized
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [main] (0x0400):
performing selinux operations
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage]
(0x0020): expected character ':', but found 'j'
(/etc/selinux/targeted/modules/active//seusers.final: 10):
ellul ja...@petermac.org.au:unconfined_u:s0-s0:c0.c1023
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage]
(0x0020): could not parse seuser record
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage]
(0x0020): could not cache file database
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage]
(0x0020): could not enter read-only section
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [get_seuser]
(0x0020): Cannot query for madhamshettiwar p...@petermac.org.au
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage]
(0x0020): expected character ':', but found 'j'
(/etc/selinux/targeted/modules/tmp//seusers.final: 10):



We have SELinux disabled on all of our servers, but we hadn't disabled this
check in sssd.conf. So we enabled it in sssd.conf and everything worked
fine.

But it should be noted that this check seems to be failing on a space in
the AD user names.

(I know, spaces in user names is weird, wrong and embarrassing, but it's
not my department. A fantastic example of Technical Debt and why project
planning and testing are best done before implementation.)

cheers
L.
------
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project