<div dir="ltr">I started seeing some selinux errors on one of my RHEL 7 clients recently (possibly after a recent yum update ?), which prevents users from logging in with passwords. I've put SELinux in permissive mode for now. Logs follow<div><br><div><br></div><div><div>SELinux is preventing /usr/libexec/sssd/krb5_child from read access on the key Unknown.</div><div><br></div><div>***** Plugin catchall (100. confidence) suggests **************************</div><div><br></div><div>If you believe that krb5_child should be allowed read access on the Unknown key by default.</div><div>Then you should report this as a bug.</div><div>You can generate a local policy module to allow this access.</div><div>Do</div><div>allow this access for now by executing:</div><div># grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol</div><div># semodule -i mypol.pp</div><div><br></div><div><br></div><div>Additional Information:</div><div>Source Context system_u:system_r:sssd_t:s0</div><div>Target Context system_u:system_r:unconfined_service_t:s0</div><div>Target Objects Unknown [ key ]</div><div>Source krb5_child</div><div>Source Path /usr/libexec/sssd/krb5_child</div><div>Port <Unknown></div><div>Host <Unknown></div><div>Source RPM Packages sssd-krb5-common-1.13.0-40.el7_2.12.x86_64</div><div>Target RPM Packages</div><div>Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch</div><div>Selinux Enabled True</div><div>Policy Type targeted</div><div>Enforcing Mode Permissive</div><div>Host Name <a href="http://example.com">example.com</a></div><div>Platform Linux <a href="http://example.com">example.com</a> 4.4.19-1.el7.x86_64</div><div> #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64 x86_64</div><div>Alert Count 38</div><div>First Seen 2016-09-28 18:37:43 EDT</div><div>Last Seen 2016-09-28 22:08:41 EDT</div><div>Local ID aa5271fa-f708-46b0-a382-fb1f90ce8973</div></div><div><div>Raw Audit Messages</div><div>type=AVC msg=audit(1475114921.376:90787): avc: denied { read } for pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0</div><div><br></div><div><br></div><div>type=SYSCALL msg=audit(1475114921.376:90787): arch=x86_64 syscall=keyctl success=yes exit=EINTR a0=b a1=333b5463 a2=0 a3=0 items=0 ppid=891 pid=8272 auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053 suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053 fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 key=(null)</div><div><br></div><div>Hash: krb5_child,sssd_t,unconfined_service_t,key,read</div><div><br></div></div></div><div><div>--------------------------------------------------------------------------------</div><div><br></div><div>SELinux is preventing /usr/libexec/sssd/krb5_child from view access on the key Unknown.</div><div><br></div><div>***** Plugin catchall (100. confidence) suggests **************************</div><div><br></div><div>If you believe that krb5_child should be allowed view access on the Unknown key by default.</div><div>Then you should report this as a bug.</div><div>You can generate a local policy module to allow this access.</div><div>Do</div><div>allow this access for now by executing:</div><div># grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol</div><div># semodule -i mypol.pp</div><div><br></div><div><br></div><div>Additional Information:</div><div>Source Context system_u:system_r:sssd_t:s0</div><div>Target Context system_u:system_r:unconfined_service_t:s0</div><div>Target Objects Unknown [ key ]</div><div>Source krb5_child</div><div>Source Path /usr/libexec/sssd/krb5_child</div><div>Port <Unknown></div><div>Host <Unknown></div><div>Source RPM Packages sssd-krb5-common-1.13.0-40.el7_2.12.x86_64</div><div>Target RPM Packages</div><div>Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch</div><div>Selinux Enabled True</div><div>Policy Type targeted</div><div>Enforcing Mode Permissive</div><div>Host Name <a href="http://example.com">example.com</a></div><div>Platform Linux <a href="http://example.com">example.com</a> 4.4.19-1.el7.x86_64</div><div> #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64 x86_64</div><div>Alert Count 10</div><div>First Seen 2016-09-28 18:40:00 EDT</div><div>Last Seen 2016-09-28 22:08:41 EDT</div><div>Local ID 22ec0970-9447-444a-9631-69749e4e7226</div></div><div><div>Raw Audit Messages</div><div>type=AVC msg=audit(1475114921.376:90789): avc: denied { view } for pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0</div><div><br></div><div><br></div><div>type=SYSCALL msg=audit(1475114921.376:90789): arch=x86_64 syscall=keyctl success=no exit=EACCES a0=6 a1=2e1c07f1 a2=0 a3=0 items=0 ppid=891 pid=8272 auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053 suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053 fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 key=(null)</div><div><br></div><div>Hash: krb5_child,sssd_t,unconfined_service_t,key,view</div></div><div><br></div><div><div>--------------------------------------------------------------------------------</div><div><br></div><div>SELinux is preventing /usr/libexec/sssd/krb5_child from write access on the key Unknown.</div><div><br></div><div>***** Plugin catchall (100. confidence) suggests **************************</div><div><br></div><div>If you believe that krb5_child should be allowed write access on the Unknown key by default.</div><div>Then you should report this as a bug.</div><div>You can generate a local policy module to allow this access.</div><div>Do</div><div>allow this access for now by executing:</div><div># grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol</div><div># semodule -i mypol.pp</div><div><br></div><div><br></div><div>Additional Information:</div><div>Source Context system_u:system_r:sssd_t:s0</div><div>Target Context system_u:system_r:unconfined_service_t:s0</div><div>Target Objects Unknown [ key ]</div><div>Source krb5_child</div><div>Source Path /usr/libexec/sssd/krb5_child</div><div>Port <Unknown></div><div>Host <Unknown></div><div>Source RPM Packages sssd-krb5-common-1.13.0-40.el7_2.12.x86_64</div><div>Target RPM Packages</div><div>Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch</div><div>Selinux Enabled True</div><div>Policy Type targeted</div><div>Enforcing Mode Permissive</div><div>Host Name <a href="http://example.com">example.com</a></div><div>Platform Linux <a href="http://example.com">example.com</a> 4.4.19-1.el7.x86_64</div><div> #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64 x86_64</div><div>Alert Count 10</div><div>First Seen 2016-09-28 18:40:00 EDT</div><div>Last Seen 2016-09-28 22:08:41 EDT</div><div>Local ID 8982bbec-38db-485b-9266-57fdaa8a3621</div><div><br></div><div>Raw Audit Messages</div><div>type=AVC msg=audit(1475114921.376:90790): avc: denied { write } for pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0</div></div><div><br></div><div><div>type=SYSCALL msg=audit(1475114921.376:90790): arch=x86_64 syscall=add_key success=no exit=EACCES a0=7f6987905ffc a1=7ffeed78b1f0 a2=0 a3=0 items=0 ppid=891 pid=8272 auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053 suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053 fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 key=(null)</div><div><br></div><div>Hash: krb5_child,sssd_t,unconfined_service_t,key,write</div><div><br></div></div></div>