Create systemd-user HBAC service and rule

authselect changed pam_systemd session from optional to required. When
the HBAC rule allow_all is disabled and replaced with more fine grained
rules, loginsi now to fail, because systemd's user@.service is able to
create a systemd session.

Add systemd-user HBAC service and a HBAC rule that allows systemd-user
to run on all hosts for all users by default. ipa-server-upgrade creates
the service and rule, too. In case the service already exists, no
attempt is made to create the rule. This allows admins to delete the
rule permanently.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

install/share/bootstrap-template.ldif

@@ -346,6 +346,14 @@ cn: sudo-i
 description: sudo-i
 ipauniqueid:autogenerate
 
+dn: cn=systemd-user,cn=hbacservices,cn=hbac,$SUFFIX
+changetype: add
+objectclass: ipahbacservice
+objectclass: ipaobject
+cn: systemd-user
+description: pam_systemd and systemd user@.service
+ipauniqueid:autogenerate
+
 dn: cn=gdm,cn=hbacservices,cn=hbac,$SUFFIX
 changetype: add
 objectclass: ipahbacservice

install/share/default-hbac.ldif

@@ -12,3 +12,16 @@ ipaenabledflag: TRUE
 description: Allow all users to access any host from any host
 ipauniqueid: autogenerate
 
+# default HBAC policy for pam_systemd
+dn: ipauniqueid=autogenerate,cn=hbac,$SUFFIX
+changetype: add
+objectclass: ipaassociation
+objectclass: ipahbacrule
+cn: allow_systemd-user
+accessruletype: allow
+usercategory: all
+hostcategory: all
+servicecategory: systemd-user
+ipaenabledflag: TRUE
+description: Allow pam_systemd to run user@.service to create a system user session
+ipauniqueid: autogenerate

ipaserver/install/server/upgrade.py

@@ -1735,6 +1735,41 @@ def migrate_to_authselect():
     sysupgrade.set_upgrade_state('authcfg', 'migrated_to_authselect', True)
 
 
+def add_systemd_user_hbac():
+    logger.info('[Create systemd-user hbac service and rule]')
+    rule = 'allow_systemd-user'
+    service = 'systemd-user'
+    try:
+        api.Command.hbacsvc_add(
+            service,
+            description='pam_systemd and systemd user@.service'
+        )
+    except ipalib.errors.DuplicateEntry:
+        logger.info('hbac service %s already exists', service)
+        # Don't create hbac rule when hbacsvc already exists, so the rule
+        # does not get re-created after it has been deleted by an admin.
+        return
+    else:
+        logger.info('Created hbacsvc %s', service)
+
+    try:
+        api.Command.hbacrule_add(
+            rule,
+            description=('Allow pam_systemd to run user@.service to create '
+                         'a system user session'),
+            usercategory='all',
+            hostcategory='all',
+        )
+    except ipalib.errors.DuplicateEntry:
+        logger.info('hbac rule %s already exists', rule)
+    else:
+        api.Command.hbacrule_add_service(
+            rule,
+            hbacsvc=(service,)
+        )
+        logger.info('Created hbac rule %s with hbacsvc=%s', rule, service)
+
+
 def fix_permissions():
     """Fix permission of public accessible files and directories
 
@@ -2050,6 +2085,7 @@ def upgrade_configuration():
         cainstance.ensure_ipa_authority_entry()
 
     migrate_to_authselect()
+    add_systemd_user_hbac()
 
     sssd_update()
 

ipatests/test_integration/test_commands.py

@@ -495,3 +495,62 @@ class TestIPACommand(IntegrationTest):
             assert result.returncode == 1
 
         self.master.run_command(['rm', '-f', filename])
+
+    def test_hbac_systemd_user(self):
+        # https://pagure.io/freeipa/issue/7831
+        tasks.kinit_admin(self.master)
+        # check for presence
+        self.master.run_command(
+            ['ipa', 'hbacrule-show', 'allow_systemd-user']
+        )
+        self.master.run_command(
+            ['ipa', 'hbacsvc-show', 'systemd-user']
+        )
+
+        # delete both
+        self.master.run_command(
+            ['ipa', 'hbacrule-del', 'allow_systemd-user']
+        )
+        self.master.run_command(
+            ['ipa', 'hbacsvc-del', 'systemd-user']
+        )
+
+        # run upgrade
+        result = self.master.run_command(['ipa-server-upgrade'])
+        assert 'Created hbacsvc systemd-user' in result.stderr_text
+        assert 'Created hbac rule allow_systemd-user' in result.stderr_text
+
+        # check for presence
+        result = self.master.run_command(
+            ['ipa', 'hbacrule-show', 'allow_systemd-user', '--all']
+        )
+        lines = set(l.strip() for l in result.stdout_text.split('\n'))
+        assert 'User category: all' in lines
+        assert 'Host category: all' in lines
+        assert 'Enabled: TRUE' in lines
+        assert 'Services: systemd-user' in lines
+        assert 'accessruletype: allow' in lines
+
+        self.master.run_command(
+            ['ipa', 'hbacsvc-show', 'systemd-user']
+        )
+
+        # only delete rule
+        self.master.run_command(
+            ['ipa', 'hbacrule-del', 'allow_systemd-user']
+        )
+
+        # run upgrade
+        result = self.master.run_command(['ipa-server-upgrade'])
+        assert (
+            'hbac service systemd-user already exists' in result.stderr_text
+        )
+        assert (
+            'Created hbac rule allow_systemd-user' not in result.stderr_text
+        )
+        result = self.master.run_command(
+            ['ipa', 'hbacrule-show', 'allow_systemd-user'],
+            raiseonerr=False
+        )
+        assert result.returncode != 0
+        assert 'HBAC rule not found' in result.stderr_text