<div dir="ltr">I need to set SELinux to enforcing to get the relevant SSSD logs, right ?</div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 29, 2016 at 3:42 AM, Sumit Bose <span dir="ltr"><<a href="mailto:sbose@redhat.com" target="_blank">sbose@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Thu, Sep 29, 2016 at 12:47:34AM -0400, Prasun Gera wrote:<br>
> I started seeing some selinux errors on one of my RHEL 7 clients recently<br>
> (possibly after a recent yum update ?), which prevents users from logging<br>
> in with passwords. I've put SELinux in permissive mode for now. Logs follow<br>
<br>
</span>This sounds like <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1301686" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/<wbr>show_bug.cgi?id=1301686</a> .<br>
Would you mind adding your findings and the SSSD logs as described in<br>
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1301686#c2" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/<wbr>show_bug.cgi?id=1301686#c2</a> to the bugzilla<br>
ticket.<br>
<br>
Thank you.<br>
<br>
bye,<br>
Sumit<br>
<div class="HOEnZb"><div class="h5"><br>
><br>
><br>
> SELinux is preventing /usr/libexec/sssd/krb5_child from read access on the<br>
> key Unknown.<br>
><br>
> ***** Plugin catchall (100. confidence) suggests<br>
> **************************<br>
><br>
> If you believe that krb5_child should be allowed read access on the Unknown<br>
> key by default.<br>
> Then you should report this as a bug.<br>
> You can generate a local policy module to allow this access.<br>
> Do<br>
> allow this access for now by executing:<br>
> # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol<br>
> # semodule -i mypol.pp<br>
><br>
><br>
> Additional Information:<br>
> Source Context system_u:system_r:sssd_t:s0<br>
> Target Context system_u:system_r:unconfined_<wbr>service_t:s0<br>
> Target Objects Unknown [ key ]<br>
> Source krb5_child<br>
> Source Path /usr/libexec/sssd/krb5_child<br>
> Port <Unknown><br>
> Host <Unknown><br>
> Source RPM Packages sssd-krb5-common-1.13.0-40.<wbr>el7_2.12.x86_64<br>
> Target RPM Packages<br>
> Policy RPM selinux-policy-3.13.1-60.el7_<wbr>2.9.noarch<br>
> Selinux Enabled True<br>
> Policy Type targeted<br>
> Enforcing Mode Permissive<br>
> Host Name <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a><br>
> Platform Linux <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> 4.4.19-1.el7.x86_64<br>
> #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64<br>
> x86_64<br>
> Alert Count 38<br>
> First Seen 2016-09-28 18:37:43 EDT<br>
> Last Seen 2016-09-28 22:08:41 EDT<br>
> Local ID aa5271fa-f708-46b0-a382-<wbr>fb1f90ce8973<br>
> Raw Audit Messages<br>
> type=AVC msg=audit(1475114921.376:<wbr>90787): avc: denied { read } for<br>
> pid=8272 comm="krb5_child" scontext=system_u:system_r:<wbr>sssd_t:s0<br>
> tcontext=system_u:system_r:<wbr>unconfined_service_t:s0 tclass=key permissive=0<br>
><br>
><br>
> type=SYSCALL msg=audit(1475114921.376:<wbr>90787): arch=x86_64 syscall=keyctl<br>
> success=yes exit=EINTR a0=b a1=333b5463 a2=0 a3=0 items=0 ppid=891 pid=8272<br>
> auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053<br>
> suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053<br>
> fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child<br>
> exe=/usr/libexec/sssd/krb5_<wbr>child subj=system_u:system_r:sssd_t:<wbr>s0 key=(null)<br>
><br>
> Hash: krb5_child,sssd_t,unconfined_<wbr>service_t,key,read<br>
><br>
> ------------------------------<wbr>------------------------------<wbr>--------------------<br>
><br>
> SELinux is preventing /usr/libexec/sssd/krb5_child from view access on the<br>
> key Unknown.<br>
><br>
> ***** Plugin catchall (100. confidence) suggests<br>
> **************************<br>
><br>
> If you believe that krb5_child should be allowed view access on the Unknown<br>
> key by default.<br>
> Then you should report this as a bug.<br>
> You can generate a local policy module to allow this access.<br>
> Do<br>
> allow this access for now by executing:<br>
> # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol<br>
> # semodule -i mypol.pp<br>
><br>
><br>
> Additional Information:<br>
> Source Context system_u:system_r:sssd_t:s0<br>
> Target Context system_u:system_r:unconfined_<wbr>service_t:s0<br>
> Target Objects Unknown [ key ]<br>
> Source krb5_child<br>
> Source Path /usr/libexec/sssd/krb5_child<br>
> Port <Unknown><br>
> Host <Unknown><br>
> Source RPM Packages sssd-krb5-common-1.13.0-40.<wbr>el7_2.12.x86_64<br>
> Target RPM Packages<br>
> Policy RPM selinux-policy-3.13.1-60.el7_<wbr>2.9.noarch<br>
> Selinux Enabled True<br>
> Policy Type targeted<br>
> Enforcing Mode Permissive<br>
> Host Name <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a><br>
> Platform Linux <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> 4.4.19-1.el7.x86_64<br>
> #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64<br>
> x86_64<br>
> Alert Count 10<br>
> First Seen 2016-09-28 18:40:00 EDT<br>
> Last Seen 2016-09-28 22:08:41 EDT<br>
> Local ID 22ec0970-9447-444a-9631-<wbr>69749e4e7226<br>
> Raw Audit Messages<br>
> type=AVC msg=audit(1475114921.376:<wbr>90789): avc: denied { view } for<br>
> pid=8272 comm="krb5_child" scontext=system_u:system_r:<wbr>sssd_t:s0<br>
> tcontext=system_u:system_r:<wbr>unconfined_service_t:s0 tclass=key permissive=0<br>
><br>
><br>
> type=SYSCALL msg=audit(1475114921.376:<wbr>90789): arch=x86_64 syscall=keyctl<br>
> success=no exit=EACCES a0=6 a1=2e1c07f1 a2=0 a3=0 items=0 ppid=891 pid=8272<br>
> auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053<br>
> suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053<br>
> fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child<br>
> exe=/usr/libexec/sssd/krb5_<wbr>child subj=system_u:system_r:sssd_t:<wbr>s0 key=(null)<br>
><br>
> Hash: krb5_child,sssd_t,unconfined_<wbr>service_t,key,view<br>
><br>
> ------------------------------<wbr>------------------------------<wbr>--------------------<br>
><br>
> SELinux is preventing /usr/libexec/sssd/krb5_child from write access on the<br>
> key Unknown.<br>
><br>
> ***** Plugin catchall (100. confidence) suggests<br>
> **************************<br>
><br>
> If you believe that krb5_child should be allowed write access on the<br>
> Unknown key by default.<br>
> Then you should report this as a bug.<br>
> You can generate a local policy module to allow this access.<br>
> Do<br>
> allow this access for now by executing:<br>
> # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol<br>
> # semodule -i mypol.pp<br>
><br>
><br>
> Additional Information:<br>
> Source Context system_u:system_r:sssd_t:s0<br>
> Target Context system_u:system_r:unconfined_<wbr>service_t:s0<br>
> Target Objects Unknown [ key ]<br>
> Source krb5_child<br>
> Source Path /usr/libexec/sssd/krb5_child<br>
> Port <Unknown><br>
> Host <Unknown><br>
> Source RPM Packages sssd-krb5-common-1.13.0-40.<wbr>el7_2.12.x86_64<br>
> Target RPM Packages<br>
> Policy RPM selinux-policy-3.13.1-60.el7_<wbr>2.9.noarch<br>
> Selinux Enabled True<br>
> Policy Type targeted<br>
> Enforcing Mode Permissive<br>
> Host Name <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a><br>
> Platform Linux <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> 4.4.19-1.el7.x86_64<br>
> #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64<br>
> x86_64<br>
> Alert Count 10<br>
> First Seen 2016-09-28 18:40:00 EDT<br>
> Last Seen 2016-09-28 22:08:41 EDT<br>
> Local ID 8982bbec-38db-485b-9266-<wbr>57fdaa8a3621<br>
><br>
> Raw Audit Messages<br>
> type=AVC msg=audit(1475114921.376:<wbr>90790): avc: denied { write } for<br>
> pid=8272 comm="krb5_child" scontext=system_u:system_r:<wbr>sssd_t:s0<br>
> tcontext=system_u:system_r:<wbr>unconfined_service_t:s0 tclass=key permissive=0<br>
><br>
> type=SYSCALL msg=audit(1475114921.376:<wbr>90790): arch=x86_64 syscall=add_key<br>
> success=no exit=EACCES a0=7f6987905ffc a1=7ffeed78b1f0 a2=0 a3=0 items=0<br>
> ppid=891 pid=8272 auid=4294967295 uid=1388200053 gid=1388200053<br>
> euid=1388200053 suid=1388200053 fsuid=1388200053 egid=1388200053<br>
> sgid=1388200053 fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child<br>
> exe=/usr/libexec/sssd/krb5_<wbr>child subj=system_u:system_r:sssd_t:<wbr>s0 key=(null)<br>
><br>
> Hash: krb5_child,sssd_t,unconfined_<wbr>service_t,key,write<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">> --<br>
> Manage your subscription for the Freeipa-users mailing list:<br>
> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br>
<br>
--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br>
</font></span></blockquote></div><br></div>