[Pkg-sssd-devel] Bug#1008938: libnss-sss: breaks selinux-policy-default - ie dist-upgrade from buster to bullseye fails

Alban Browaeys prahal at yahoo.com
Mon Apr 4 18:42:51 BST 2022 

Package: libnss-sss
Version: 2.4.1-2
Severity: important

Dear Maintainer,

Dist upgrading from buster to bullseye failed with:

Setting up selinux-policy-default (2:2.20210203-7) ...
Updating selinux default policy (this step might take a moment)...libsemanage.semanage_direct_install_info: amtu module will be disabled after install as there is a disabled instance of this module present in the system.
libsemanage.semanage_direct_install_info: bugzilla module will be disabled after install as there is a disabled instance of this module present in the system.
libsemanage.semanage_direct_install_info: cobbler module will be disabled after install as there is a disabled instance of this module present in the system.
libsemanage.semanage_direct_install_info: condor module will be disabled after install as there is a disabled instance of this module present in the system.
libsemanage.semanage_direct_install_info: cyphesis module will be disabled after install as there is a disabled instance of this module present in the system.
libsemanage.semanage_direct_install_info: ksmtuned module will be disabled after install as there is a disabled instance of this module present in the system.
libsemanage.semanage_direct_install_info: likewise module will be disabled after install as there is a disabled instance of this module present in the system.
libsemanage.semanage_direct_install_info: livecd module will be disabled after install as there is a disabled instance of this module present in the system.
libsemanage.semanage_direct_install_info: nessus module will be disabled after install as there is a disabled instance of this module present in the system.
libsemanage.semanage_direct_install_info: numad module will be disabled after install as there is a disabled instance of this module present in the system.
libsemanage.semanage_direct_install_info: oddjob module will be disabled after install as there is a disabled instance of this module present in the system.
libsemanage.semanage_direct_install_info: openca module will be disabled after install as there is a disabled instance of this module present in the system.
libsemanage.semanage_direct_install_info: soundserver module will be disabled after install as there is a disabled instance of this module present in the system.
libsemanage.semanage_direct_install_info: updfstab module will be disabled after install as there is a disabled instance of this module present in the system.
libsemanage.semanage_direct_install_info: usernetctl module will be disabled after install as there is a disabled instance of this module present in the system.
libsemanage.get_home_dirs: Error while fetching users.  Returning list so far.
libsemanage.semanage_direct_commit: semanage_genhomedircon returned error code -1. (Connection refused).
semodule:  Failed!
 failed.

This is reproducible with this C code:
https://github.com/SELinuxProject/selinux/issues/121
#include <sys/types.h>
#include <pwd.h>
#include <errno.h>
#include <stdio.h>

int main(void)
{
	struct passwd *pw;
	setpwent();
	errno = 0;
	while ((pw = getpwent()) != NULL) {
		printf("%d: %s (errno %d)\n", pw->pw_uid, pw->pw_name, errno);
	errno = 0;
	}
	printf("getpwent errno = %d (%m)\n", errno);
	endpwent();
	return 0;
}

which if run does:
phn at helios64:~$ ./a.out 
0: root (errno 0)
1: daemon (errno 0)
2: bin (errno 0)
3: sys (errno 0)
4: sync (errno 0)
5: games (errno 0)
6: man (errno 0)
7: lp (errno 0)
8: mail (errno 0)
9: news (errno 0)
10: uucp (errno 0)
13: proxy (errno 0)
33: www-data (errno 0)
34: backup (errno 0)
38: list (errno 0)
39: irc (errno 0)
41: gnats (errno 0)
65534: nobody (errno 0)
100: _apt (errno 0)
101: systemd-timesync (errno 0)
102: systemd-network (errno 0)
103: systemd-resolve (errno 0)
104: messagebus (errno 0)
106: avahi-autoipd (errno 0)
107: sshd (errno 0)
999: systemd-coredump (errno 0)
1000: phn (errno 0)
109: _rpc (errno 0)
110: statd (errno 0)
998: openmediavault-webgui (errno 0)
997: admin (errno 0)
114: nut (errno 0)
115: Debian-snmp (errno 0)
1001: prahal (errno 0)
116: _lldpd (errno 0)
117: borg (errno 0)
118: sssd (errno 0)
1002: docker_u (errno 0)
996: openmediavault-notify (errno 0)
119: systemd-journal-remote (errno 0)
1003: systemd-journal-upload (errno 0)
120: glances (errno 0)
108: Debian-exim (errno 0)
113: proftpd (errno 0)
121: ftp (errno 0)
122: avahi (errno 0)
111: _chrony (errno 0)
105: postfix (errno 0)
112: tcpdump (errno 0)
getpwent errno = 111 (Connection refused)

which from strace is connection refused to the sss nss pipe file:
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=34507, ...}) = 0
mmap(NULL, 34507, PROT_READ, MAP_PRIVATE, 4, 0) = 0xffffa81a8000
close(4)                                = 0
openat(AT_FDCWD, "/lib/aarch64-linux-gnu/libnss_sss.so.2", O_RDONLY|O_CLOEXEC) = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\240\30\0\0\0\0\0\0"..., 832) = 832
fstat(4, {st_mode=S_IFREG|0644, st_size=47576, ...}) = 0
mmap(NULL, 111680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0xffffa818c000
mprotect(0xffffa8196000, 65536, PROT_NONE) = 0
mmap(0xffffa81a6000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0xa000) = 0xffffa81a6000
close(4)                                = 0
mprotect(0xffffa81a6000, 4096, PROT_READ) = 0
munmap(0xffffa81a8000, 34507)           = 0
getpid()                                = 1343293
fstat(-1, 0xfffffd59ad98)               = -1 EBADF (Mauvais descripteur de fichier)
getpid()                                = 1343293
socket(AF_UNIX, SOCK_STREAM, 0)         = 4
fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
fcntl(4, F_GETFD)                       = 0
fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
connect(4, {sa_family=AF_UNIX, sun_path="/var/lib/sss/pipes/nss"}, 110) = -1 ECONNREFUSED (Connexion refusée)
close(4)                                = 0
write(1, "getpwent errno = 111 (Connection"..., 42getpwent errno = 111 (Connection refused)
) = 42
munmap(0xffffa836d000, 2843)            = 0
close(3)                                = 0
getpid()                                = 1343293
socket(AF_UNIX, SOCK_STREAM, 0)         = 3
fcntl(3, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
fcntl(3, F_GETFD)                       = 0
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
connect(3, {sa_family=AF_UNIX, sun_path="/var/lib/sss/pipes/nss"}, 110) = -1 ECONNREFUSED (Connexion refusée)
close(3)                                = 0
exit_group(0)                           = ?
+++ exited with 0 +++


I have this issue with selinux-default-policy as soon as libnss-sss is installed but not libnss-systemd
(if the later is there the issue is masked) and sssd is not configured with a domain that work
(ie I had missing krb5 keytab). I cannot tell if the issue is gone with a working domain setup as of now.


My aim is that libnss-sss should not break selinux-default-policy upgrade even if only libnss-sss is installed
(ie sssd was removed) or else a depends is required.

I also believe that with sssd installed but not configured the selinux-default-policy package should not break:
 this issue might be on the selinux or sss side, that I cannot tell.

Also, I believe this report might be of help to the user with the selinux-default-policy error above as its not
documented elsewhere. In the case where sssd is not installed or not configured completely and that libnss-sss is
installed and libnss-systemd is not then the way out is to remove libnss-sss or install libnss-systemd.

There might be an libnss-systemd bug or selinux-default-policy-one too in that I do not see why installing libnss-systemd
fixes the selinux-default-policy error.

Cheers,
Alban

-- System Information:
Debian Release: 11.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: arm64 (aarch64)
Foreign Architectures: armhf

Kernel: Linux 5.15.29-rockchip64 (SMP w/6 CPU threads; PREEMPT)
Kernel taint flags: TAINT_CRAP
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8), LANGUAGE=fr_FR.UTF-8
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libnss-sss depends on:
ii  libc6  2.31-13+deb11u3

Versions of packages libnss-sss recommends:
ii  sssd  2.4.1-2

libnss-sss suggests no packages.

-- no debconf information

More information about the Pkg-sssd-devel mailing list