[Freeipa-users] RHEL 6.4 ipa-client install on ipa member server
Jakub Hrozek
jhrozek at redhat.com
Mon Feb 25 11:15:05 UTC 2013
On Mon, Feb 25, 2013 at 11:06:09AM +0000, Dale Macartney wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On 02/25/2013 10:58 AM, Jakub Hrozek wrote:
> > On Mon, Feb 25, 2013 at 10:30:44AM +0000, Dale Macartney wrote:
> >>>> What state is your SELinux in? Permissive/Enforcing/Disabled ?
> >> Another fail on my part. Works fine in permissive mode.
> >>
> >
> > No, the SSSD should be working out of the box with SELinux Enforcing.
> >
> >> AVC denials listed below..
> >>
> >> type=AVC msg=audit(1361788146.020:28315): avc: denied { read } for
> >> pid=2271 comm="sshd" name="passwd" dev=dm-0 ino=914246
> >> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> >> tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
> >> type=AVC msg=audit(1361788146.020:28315): avc: denied { open } for
> >> pid=2271 comm="sshd" name="passwd" dev=dm-0 ino=914246
> >> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> >> tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
> >> type=AVC msg=audit(1361788146.020:28316): avc: denied { getattr } for
> >> pid=2271 comm="sshd" path="/var/lib/sss/mc/passwd" dev=dm-0 ino=914246
> >> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> >
> > ^ This is SElinux denying access to the fast in-memory cache.
> >
> >> tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
> >> type=AVC msg=audit(1361788155.330:28318): avc: denied { read } for
> >> pid=2275 comm="krb5_child" name="config" dev=dm-0 ino=392854
> >> scontext=system_u:system_r:sssd_t:s0
> >> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
> >> type=AVC msg=audit(1361788155.330:28318): avc: denied { open } for
> >> pid=2275 comm="krb5_child" name="config" dev=dm-0 ino=392854
> >> scontext=system_u:system_r:sssd_t:s0
> >> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
> >> type=AVC msg=audit(1361788155.330:28319): avc: denied { getattr } for
> >> pid=2275 comm="krb5_child" path="/etc/selinux/config" dev=dm-0
> >> ino=392854 scontext=system_u:system_r:sssd_t:s0
> >
> > Interesting, I'm not aware of any code in the krb5 child process that
> > would do anything selinux-related. I wonder if libkrb5 might be the
> > culprit..rpm says it *is* linked against libselinux as well.
> >
> >> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
> >> type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for
> >> pid=1380 comm="sssd_pam" name="logins" dev=dm-0 ino=392943
> >> scontext=system_u:system_r:sssd_t:s0
> >> tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
> >> type=AVC msg=audit(1361788156.367:28321): avc: denied { add_name }
> >> for pid=1380 comm="sssd_pam" name="adminoTfIUQ"
> >> scontext=system_u:system_r:sssd_t:s0
> >> tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
> >> type=AVC msg=audit(1361788156.367:28321): avc: denied { create } for
> >> pid=1380 comm="sssd_pam" name="adminoTfIUQ"
> >> scontext=system_u:system_r:sssd_t:s0
> >> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
> >> type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for
> >> pid=1380 comm="sssd_pam" name="adminoTfIUQ" dev=dm-0 ino=393233
> >> scontext=system_u:system_r:sssd_t:s0
> >> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
> >> type=AVC msg=audit(1361788156.367:28322): avc: denied { remove_name }
> >> for pid=1380 comm="sssd_pam" name="adminoTfIUQ" dev=dm-0 ino=393233
> >> scontext=system_u:system_r:sssd_t:s0
> >> tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
> >> type=AVC msg=audit(1361788156.367:28322): avc: denied { rename } for
> >> pid=1380 comm="sssd_pam" name="adminoTfIUQ" dev=dm-0 ino=393233
> >> scontext=system_u:system_r:sssd_t:s0
> >> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
> >> type=AVC msg=audit(1361788156.367:28322): avc: denied { unlink } for
> >> pid=1380 comm="sssd_pam" name="admin" dev=dm-0 ino=392951
> >> scontext=system_u:system_r:sssd_t:s0
> >> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
> >
> > This is SSSD trying to write the user login mapping.
> >
> > What version is your selinux-policy?
> >
> > Was your system properly labeled?
> >
> > Does restorecon -Rvv /etc/selinux help?
> Interesting, after using restorecon, yes it now allows a successful
> login. I am curious how the contexts would have become incorrectly set
> as the machine was provisioned with a rather trivial kickstart.
>
> output of restorecon is below.
>
> [root at workstation01 ~]# restorecon -Rvv /etc/selinux/
> restorecon reset /etc/selinux/targeted/logins context
> system_u:object_r:selinux_config_t:s0->system_u:object_r:selinux_login_config_t:s0
> restorecon reset /etc/selinux/targeted/logins/admin context
> system_u:object_r:selinux_config_t:s0->system_u:object_r:selinux_login_config_t:s0
> [root at workstation01 ~]#
>
> selinux policy version 3.7.19-195.el6_4.1
I'm not sure, was the system installed with that version or upgraded to
it?
I would also suggest to restorecon /var/lib/sss/mc/passwd to get rid of
the memory cache denials. That should also allow faster initgroups (and
by extension logins) operation.
More information about the Freeipa-users
mailing list