[Freeipa-users] RHEL 6.4 ipa-client install on ipa member server
Jakub Hrozek
jhrozek at redhat.com
Mon Feb 25 10:58:35 UTC 2013
On Mon, Feb 25, 2013 at 10:30:44AM +0000, Dale Macartney wrote:
> > > What state is your SELinux in? Permissive/Enforcing/Disabled ?
> Another fail on my part. Works fine in permissive mode.
>
No, the SSSD should be working out of the box with SELinux Enforcing.
> AVC denials listed below..
>
> type=AVC msg=audit(1361788146.020:28315): avc: denied { read } for
> pid=2271 comm="sshd" name="passwd" dev=dm-0 ino=914246
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
> type=AVC msg=audit(1361788146.020:28315): avc: denied { open } for
> pid=2271 comm="sshd" name="passwd" dev=dm-0 ino=914246
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
> type=AVC msg=audit(1361788146.020:28316): avc: denied { getattr } for
> pid=2271 comm="sshd" path="/var/lib/sss/mc/passwd" dev=dm-0 ino=914246
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
^ This is SElinux denying access to the fast in-memory cache.
> tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
> type=AVC msg=audit(1361788155.330:28318): avc: denied { read } for
> pid=2275 comm="krb5_child" name="config" dev=dm-0 ino=392854
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
> type=AVC msg=audit(1361788155.330:28318): avc: denied { open } for
> pid=2275 comm="krb5_child" name="config" dev=dm-0 ino=392854
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
> type=AVC msg=audit(1361788155.330:28319): avc: denied { getattr } for
> pid=2275 comm="krb5_child" path="/etc/selinux/config" dev=dm-0
> ino=392854 scontext=system_u:system_r:sssd_t:s0
Interesting, I'm not aware of any code in the krb5 child process that
would do anything selinux-related. I wonder if libkrb5 might be the
culprit..rpm says it *is* linked against libselinux as well.
> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
> type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for
> pid=1380 comm="sssd_pam" name="logins" dev=dm-0 ino=392943
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
> type=AVC msg=audit(1361788156.367:28321): avc: denied { add_name }
> for pid=1380 comm="sssd_pam" name="adminoTfIUQ"
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
> type=AVC msg=audit(1361788156.367:28321): avc: denied { create } for
> pid=1380 comm="sssd_pam" name="adminoTfIUQ"
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
> type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for
> pid=1380 comm="sssd_pam" name="adminoTfIUQ" dev=dm-0 ino=393233
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
> type=AVC msg=audit(1361788156.367:28322): avc: denied { remove_name }
> for pid=1380 comm="sssd_pam" name="adminoTfIUQ" dev=dm-0 ino=393233
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
> type=AVC msg=audit(1361788156.367:28322): avc: denied { rename } for
> pid=1380 comm="sssd_pam" name="adminoTfIUQ" dev=dm-0 ino=393233
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
> type=AVC msg=audit(1361788156.367:28322): avc: denied { unlink } for
> pid=1380 comm="sssd_pam" name="admin" dev=dm-0 ino=392951
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
This is SSSD trying to write the user login mapping.
What version is your selinux-policy?
Was your system properly labeled?
Does restorecon -Rvv /etc/selinux help?
More information about the Freeipa-users
mailing list