[SSSD] [sssd PR#189][comment] SELINUX: Use getseuserbyname to get IPA seuser
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser justin-stephenson commented: """ @mzidek-rh I pushed my local copy of the branch to my fork but a new PR was created(sorry for that). I rebased the patch and tested it again to be sure it still works. New PR is https://github.com/SSSD/sssd/pull/342 """ See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-319143686 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#189][comment] SELINUX: Use getseuserbyname to get IPA seuser
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser mzidek-rh commented: """ By the way in this issue: https://pagure.io/SSSD/sssd/issue/3308 it states that Petr Lautrbach recommended to use the libselinux function. I think that is reason enough to reopen this PR, even though it does not have high priority, because the more important selinux bug we had was resolved differently. (@justin-stephenson, you already deleted the branch so I can not reopen it, would you mind creating the branch again?) """ See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-319023093 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#189][comment] SELINUX: Use getseuserbyname to get IPA seuser
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser mzidek-rh commented: """ @jhrozek this patch replaces function from libsemanage with function from libselinux... The commit message says that libselinux is recommended over libsemanage by SELinux developers. If that is the case, I think it makes sense to use the preferred version. So I would not close this PR. Also this patch removes more code than it adds, which is welcomed. """ See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-319019703 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#189][comment] SELINUX: Use getseuserbyname to get IPA seuser
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser jhrozek commented: """ Well, not so fast :) @mzidek-rh don't we want to use the libsemanage API anyway? Didn't this solve some real world bug? """ See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-318923875 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#189][comment] SELINUX: Use getseuserbyname to get IPA seuser
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser justin-stephenson commented: """ @fidencio I don't really know if this ticket is required anymore to be honest, it may not be required after https://pagure.io/SSSD/sssd/issue/3297 was fixed. I don't think any user is waiting for a fix, I will go ahead and close this PR and I will leave the decision to close upstream ticket 3308 to your team. """ See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-318719796 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#189][comment] SELINUX: Use getseuserbyname to get IPA seuser
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser fidencio commented: """ @lslebodn, @justin-stephenson: What's the state of this PR? Is this still valid? In case it's still valid, @justin-stephenson, may I ask you to rebase the patches based on our git master as currently they have some conflicts? """ See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-318268525 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#189][comment] SELINUX: Use getseuserbyname to get IPA seuser
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser justin-stephenson commented: """ @lslebodn I tested the patch in #165 and it successfully resolves the original sssd errors `[libsemanage] (0x0020): could not query record value` however I don't know if it would solve the issue reported downstream BZ 1412717, this was the main reason I submitted this PR. I could also modify this PR to not touch **get_seuser()** code and only call **getseuserbyname()** if **get_seuser()** fails. """ See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-291228133 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#189][comment] SELINUX: Use getseuserbyname to get IPA seuser
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser justin-stephenson commented: """ @lslebodn in my testing, the SELinux child process gets called twice during IPA client login. Before the patch the first call would error with similar `libsemanage` errors but the second would be successful. These are just cosmetic errors however, I could not reproduce any failed login problem. ``` [[sssd[selinux_child[3047 [main] (0x0400): selinux_child started. [[sssd[selinux_child[3047 [main] (0x2000): Running with effective IDs: [0][0]. [[sssd[selinux_child[3047 [main] (0x2000): Running with real IDs [0][0]. [[sssd[selinux_child[3047 [main] (0x0400): context initialized [[sssd[selinux_child[3047 [unpack_buffer] (0x2000): seuser length: 12 [[sssd[selinux_child[3047 [unpack_buffer] (0x2000): seuser: unconfined_u [[sssd[selinux_child[3047 [unpack_buffer] (0x2000): mls_range length: 14 [[sssd[selinux_child[3047 [unpack_buffer] (0x2000): mls_range: s0-s0:c0.c1023 [[sssd[selinux_child[3047 [unpack_buffer] (0x2000): username length: 9 [[sssd[selinux_child[3047 [unpack_buffer] (0x2000): username: testuser1 [[sssd[selinux_child[3047 [main] (0x0400): performing selinux operations [[sssd[selinux_child[3047 [libsemanage] (0x0020): could not query record value [[sssd[selinux_child[3047 [get_seuser] (0x0020): Cannot query for testuser1 [[sssd[selinux_child[3047 [seuser_needs_update] (0x2000): get_seuser: ret: 5 seuser: unknown mls: unknown [[sssd[selinux_child[3047 [pack_buffer] (0x0400): result [0] [[sssd[selinux_child[3047 [prepare_response] (0x4000): r->size: 4 [[sssd[selinux_child[3047 [main] (0x0400): selinux_child completed successfully [[sssd[selinux_child[3063 [main] (0x0400): selinux_child started. [[sssd[selinux_child[3063 [main] (0x2000): Running with effective IDs: [0][0]. [[sssd[selinux_child[3063 [main] (0x2000): Running with real IDs [0][0]. [[sssd[selinux_child[3063 [main] (0x0400): context initialized [[sssd[selinux_child[3063 [unpack_buffer] (0x2000): seuser length: 12 [[sssd[selinux_child[3063 [unpack_buffer] (0x2000): seuser: unconfined_u [[sssd[selinux_child[3063 [unpack_buffer] (0x2000): mls_range length: 14 [[sssd[selinux_child[3063 [unpack_buffer] (0x2000): mls_range: s0-s0:c0.c1023 [[sssd[selinux_child[3063 [unpack_buffer] (0x2000): username length: 9 [[sssd[selinux_child[3063 [unpack_buffer] (0x2000): username: testuser1 [[sssd[selinux_child[3063 [main] (0x0400): performing selinux operations [[sssd[selinux_child[3063 [get_seuser] (0x0040): SELinux user for testuser1: unconfined_u [[sssd[selinux_child[3063 [get_seuser] (0x0040): SELinux range for testuser1: s0-s0:c0.c1023 [[sssd[selinux_child[3063 [seuser_needs_update] (0x2000): get_seuser: ret: 0 seuser: unconfined_u mls: s0-s0:c0.c1023 [[sssd[selinux_child[3063 [pack_buffer] (0x0400): result [0] [[sssd[selinux_child[3063 [prepare_response] (0x4000): r->size: 4 [[sssd[selinux_child[3063 [main] (0x0400): selinux_child completed successfully ``` After the patch, both calls are successful and the `libsemanage` errors never happen. Do you have some reproducer instructions for the failures you mention? """ See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-291160431 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#189][comment] SELINUX: Use getseuserbyname to get IPA seuser
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser lslebodn commented: """ @justin-stephenson are you able to reproduce bug with `semanage login -d testuser` Because I used a little bit complicated test-case and I still can reproduce bug from comment https://pagure.io/SSSD/sssd/issue/3308#comment-220396 ``` (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578 [main] (0x2000): Running with effective IDs: [0][0]. (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578 [main] (0x2000): Running with real IDs [0][0]. (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578 [main] (0x0400): context initialized (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578 [unpack_buffer] (0x2000): seuser length: 12 (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578 [unpack_buffer] (0x2000): seuser: unconfined_u (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578 [unpack_buffer] (0x2000): mls_range length: 14 (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578 [unpack_buffer] (0x2000): mls_range: s0-s0:c0.c1023 (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578 [unpack_buffer] (0x2000): username length: 5 (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578 [unpack_buffer] (0x2000): username: admin (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578 [main] (0x0400): performing selinux operations (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578 [seuser_needs_update] (0x2000): getseuserbyname: ret: 0 seuser: admin mls: unknown (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578 [sss_semanage_init] (0x0020): SELinux policy not managed (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578 [set_seuser] (0x0020): Cannot init SELinux management (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578 [main] (0x0020): Cannot set SELinux login context. (Mon Apr 3 13:07:22 2017) [[sssd[selinux_child[1578 [main] (0x0020): selinux_child failed! ``` """ See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-291138493 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#189][comment] SELINUX: Use getseuserbyname to get IPA seuser
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser jhrozek commented: """ ok to test """ See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-285601383 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#189][comment] SELINUX: Use getseuserbyname to get IPA seuser
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser centos-ci commented: """ Can one of the admins verify this patch? """ See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-285506518 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#189][comment] SELINUX: Use getseuserbyname to get IPA seuser
URL: https://github.com/SSSD/sssd/pull/189 Title: #189: SELINUX: Use getseuserbyname to get IPA seuser centos-ci commented: """ Can one of the admins verify this patch? """ See the full comment at https://github.com/SSSD/sssd/pull/189#issuecomment-285506515 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org