URL:
https://github.com/SSSD/sssd/pull/189
Title: #189: SELINUX: Use getseuserbyname to get IPA seuser
justin-stephenson commented:
"""
@lslebodn in my testing, the SELinux child process gets called twice during IPA client
login. Before the patch the first call would error with similar `libsemanage` errors but
the second would be successful. These are just cosmetic errors however, I could not
reproduce any failed login problem.
```
[[sssd[selinux_child[3047]]]] [main] (0x0400): selinux_child started.
[[sssd[selinux_child[3047]]]] [main] (0x2000): Running with effective IDs: [0][0].
[[sssd[selinux_child[3047]]]] [main] (0x2000): Running with real IDs [0][0].
[[sssd[selinux_child[3047]]]] [main] (0x0400): context initialized
[[sssd[selinux_child[3047]]]] [unpack_buffer] (0x2000): seuser length: 12
[[sssd[selinux_child[3047]]]] [unpack_buffer] (0x2000): seuser: unconfined_u
[[sssd[selinux_child[3047]]]] [unpack_buffer] (0x2000): mls_range length: 14
[[sssd[selinux_child[3047]]]] [unpack_buffer] (0x2000): mls_range: s0-s0:c0.c1023
[[sssd[selinux_child[3047]]]] [unpack_buffer] (0x2000): username length: 9
[[sssd[selinux_child[3047]]]] [unpack_buffer] (0x2000): username: testuser1
[[sssd[selinux_child[3047]]]] [main] (0x0400): performing selinux operations
[[sssd[selinux_child[3047]]]] [libsemanage] (0x0020): could not query record value
[[sssd[selinux_child[3047]]]] [get_seuser] (0x0020): Cannot query for testuser1
[[sssd[selinux_child[3047]]]] [seuser_needs_update] (0x2000): get_seuser: ret: 5 seuser:
unknown mls: unknown
[[sssd[selinux_child[3047]]]] [pack_buffer] (0x0400): result [0]
[[sssd[selinux_child[3047]]]] [prepare_response] (0x4000): r->size: 4
[[sssd[selinux_child[3047]]]] [main] (0x0400): selinux_child completed successfully
[[sssd[selinux_child[3063]]]] [main] (0x0400): selinux_child started.
[[sssd[selinux_child[3063]]]] [main] (0x2000): Running with effective IDs: [0][0].
[[sssd[selinux_child[3063]]]] [main] (0x2000): Running with real IDs [0][0].
[[sssd[selinux_child[3063]]]] [main] (0x0400): context initialized
[[sssd[selinux_child[3063]]]] [unpack_buffer] (0x2000): seuser length: 12
[[sssd[selinux_child[3063]]]] [unpack_buffer] (0x2000): seuser: unconfined_u
[[sssd[selinux_child[3063]]]] [unpack_buffer] (0x2000): mls_range length: 14
[[sssd[selinux_child[3063]]]] [unpack_buffer] (0x2000): mls_range: s0-s0:c0.c1023
[[sssd[selinux_child[3063]]]] [unpack_buffer] (0x2000): username length: 9
[[sssd[selinux_child[3063]]]] [unpack_buffer] (0x2000): username: testuser1
[[sssd[selinux_child[3063]]]] [main] (0x0400): performing selinux operations
[[sssd[selinux_child[3063]]]] [get_seuser] (0x0040): SELinux user for testuser1:
unconfined_u
[[sssd[selinux_child[3063]]]] [get_seuser] (0x0040): SELinux range for testuser1:
s0-s0:c0.c1023
[[sssd[selinux_child[3063]]]] [seuser_needs_update] (0x2000): get_seuser: ret: 0 seuser:
unconfined_u mls: s0-s0:c0.c1023
[[sssd[selinux_child[3063]]]] [pack_buffer] (0x0400): result [0]
[[sssd[selinux_child[3063]]]] [prepare_response] (0x4000): r->size: 4
[[sssd[selinux_child[3063]]]] [main] (0x0400): selinux_child completed successfully
```
After the patch, both calls are successful and the `libsemanage` errors never happen. Do
you have some reproducer instructions for the failures you mention?
"""
See the full comment at
https://github.com/SSSD/sssd/pull/189#issuecomment-291160431