[Freeipa-users] SELinux errors with sssd-krb5-common-1.13.0-40.el7_2.12.x86_64

Prasun Gera prasun.gera at gmail.com
Thu Sep 29 04:47:34 UTC 2016 

I started seeing some selinux errors on one of my RHEL 7 clients recently
(possibly after a recent yum update ?), which prevents users from logging
in with passwords. I've put SELinux in permissive mode for now. Logs follow


SELinux is preventing /usr/libexec/sssd/krb5_child from read access on the
key Unknown.

*****  Plugin catchall (100. confidence) suggests
**************************

If you believe that krb5_child should be allowed read access on the Unknown
key by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:sssd_t:s0
Target Context                system_u:system_r:unconfined_service_t:s0
Target Objects                Unknown [ key ]
Source                        krb5_child
Source Path                   /usr/libexec/sssd/krb5_child
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-60.el7_2.9.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     example.com
Platform                      Linux example.com 4.4.19-1.el7.x86_64
                              #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64
x86_64
Alert Count                   38
First Seen                    2016-09-28 18:37:43 EDT
Last Seen                     2016-09-28 22:08:41 EDT
Local ID                      aa5271fa-f708-46b0-a382-fb1f90ce8973
Raw Audit Messages
type=AVC msg=audit(1475114921.376:90787): avc:  denied  { read } for
 pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0


type=SYSCALL msg=audit(1475114921.376:90787): arch=x86_64 syscall=keyctl
success=yes exit=EINTR a0=b a1=333b5463 a2=0 a3=0 items=0 ppid=891 pid=8272
auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053
suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053
fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child
exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 key=(null)

Hash: krb5_child,sssd_t,unconfined_service_t,key,read

--------------------------------------------------------------------------------

SELinux is preventing /usr/libexec/sssd/krb5_child from view access on the
key Unknown.

*****  Plugin catchall (100. confidence) suggests
**************************

If you believe that krb5_child should be allowed view access on the Unknown
key by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:sssd_t:s0
Target Context                system_u:system_r:unconfined_service_t:s0
Target Objects                Unknown [ key ]
Source                        krb5_child
Source Path                   /usr/libexec/sssd/krb5_child
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-60.el7_2.9.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     example.com
Platform                      Linux example.com 4.4.19-1.el7.x86_64
                              #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64
x86_64
Alert Count                   10
First Seen                    2016-09-28 18:40:00 EDT
Last Seen                     2016-09-28 22:08:41 EDT
Local ID                      22ec0970-9447-444a-9631-69749e4e7226
Raw Audit Messages
type=AVC msg=audit(1475114921.376:90789): avc:  denied  { view } for
 pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0


type=SYSCALL msg=audit(1475114921.376:90789): arch=x86_64 syscall=keyctl
success=no exit=EACCES a0=6 a1=2e1c07f1 a2=0 a3=0 items=0 ppid=891 pid=8272
auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053
suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053
fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child
exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 key=(null)

Hash: krb5_child,sssd_t,unconfined_service_t,key,view

--------------------------------------------------------------------------------

SELinux is preventing /usr/libexec/sssd/krb5_child from write access on the
key Unknown.

*****  Plugin catchall (100. confidence) suggests
**************************

If you believe that krb5_child should be allowed write access on the
Unknown key by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:sssd_t:s0
Target Context                system_u:system_r:unconfined_service_t:s0
Target Objects                Unknown [ key ]
Source                        krb5_child
Source Path                   /usr/libexec/sssd/krb5_child
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-60.el7_2.9.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     example.com
Platform                      Linux example.com 4.4.19-1.el7.x86_64
                              #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64
x86_64
Alert Count                   10
First Seen                    2016-09-28 18:40:00 EDT
Last Seen                     2016-09-28 22:08:41 EDT
Local ID                      8982bbec-38db-485b-9266-57fdaa8a3621

Raw Audit Messages
type=AVC msg=audit(1475114921.376:90790): avc:  denied  { write } for
 pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0

type=SYSCALL msg=audit(1475114921.376:90790): arch=x86_64 syscall=add_key
success=no exit=EACCES a0=7f6987905ffc a1=7ffeed78b1f0 a2=0 a3=0 items=0
ppid=891 pid=8272 auid=4294967295 uid=1388200053 gid=1388200053
euid=1388200053 suid=1388200053 fsuid=1388200053 egid=1388200053
sgid=1388200053 fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child
exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 key=(null)

Hash: krb5_child,sssd_t,unconfined_service_t,key,write
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160929/596101e5/attachment.htm>

More information about the Freeipa-users mailing list