[Freeipa-users] SELinux errors with sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
Sumit Bose
sbose at redhat.com
Thu Sep 29 07:42:41 UTC 2016
On Thu, Sep 29, 2016 at 12:47:34AM -0400, Prasun Gera wrote:
> I started seeing some selinux errors on one of my RHEL 7 clients recently
> (possibly after a recent yum update ?), which prevents users from logging
> in with passwords. I've put SELinux in permissive mode for now. Logs follow
This sounds like https://bugzilla.redhat.com/show_bug.cgi?id=1301686 .
Would you mind adding your findings and the SSSD logs as described in
https://bugzilla.redhat.com/show_bug.cgi?id=1301686#c2 to the bugzilla
ticket.
Thank you.
bye,
Sumit
>
>
> SELinux is preventing /usr/libexec/sssd/krb5_child from read access on the
> key Unknown.
>
> ***** Plugin catchall (100. confidence) suggests
> **************************
>
> If you believe that krb5_child should be allowed read access on the Unknown
> key by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
>
> Additional Information:
> Source Context system_u:system_r:sssd_t:s0
> Target Context system_u:system_r:unconfined_service_t:s0
> Target Objects Unknown [ key ]
> Source krb5_child
> Source Path /usr/libexec/sssd/krb5_child
> Port <Unknown>
> Host <Unknown>
> Source RPM Packages sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
> Target RPM Packages
> Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Permissive
> Host Name example.com
> Platform Linux example.com 4.4.19-1.el7.x86_64
> #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64
> x86_64
> Alert Count 38
> First Seen 2016-09-28 18:37:43 EDT
> Last Seen 2016-09-28 22:08:41 EDT
> Local ID aa5271fa-f708-46b0-a382-fb1f90ce8973
> Raw Audit Messages
> type=AVC msg=audit(1475114921.376:90787): avc: denied { read } for
> pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0
>
>
> type=SYSCALL msg=audit(1475114921.376:90787): arch=x86_64 syscall=keyctl
> success=yes exit=EINTR a0=b a1=333b5463 a2=0 a3=0 items=0 ppid=891 pid=8272
> auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053
> suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053
> fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child
> exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 key=(null)
>
> Hash: krb5_child,sssd_t,unconfined_service_t,key,read
>
> --------------------------------------------------------------------------------
>
> SELinux is preventing /usr/libexec/sssd/krb5_child from view access on the
> key Unknown.
>
> ***** Plugin catchall (100. confidence) suggests
> **************************
>
> If you believe that krb5_child should be allowed view access on the Unknown
> key by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
>
> Additional Information:
> Source Context system_u:system_r:sssd_t:s0
> Target Context system_u:system_r:unconfined_service_t:s0
> Target Objects Unknown [ key ]
> Source krb5_child
> Source Path /usr/libexec/sssd/krb5_child
> Port <Unknown>
> Host <Unknown>
> Source RPM Packages sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
> Target RPM Packages
> Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Permissive
> Host Name example.com
> Platform Linux example.com 4.4.19-1.el7.x86_64
> #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64
> x86_64
> Alert Count 10
> First Seen 2016-09-28 18:40:00 EDT
> Last Seen 2016-09-28 22:08:41 EDT
> Local ID 22ec0970-9447-444a-9631-69749e4e7226
> Raw Audit Messages
> type=AVC msg=audit(1475114921.376:90789): avc: denied { view } for
> pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0
>
>
> type=SYSCALL msg=audit(1475114921.376:90789): arch=x86_64 syscall=keyctl
> success=no exit=EACCES a0=6 a1=2e1c07f1 a2=0 a3=0 items=0 ppid=891 pid=8272
> auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053
> suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053
> fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child
> exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 key=(null)
>
> Hash: krb5_child,sssd_t,unconfined_service_t,key,view
>
> --------------------------------------------------------------------------------
>
> SELinux is preventing /usr/libexec/sssd/krb5_child from write access on the
> key Unknown.
>
> ***** Plugin catchall (100. confidence) suggests
> **************************
>
> If you believe that krb5_child should be allowed write access on the
> Unknown key by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
>
> Additional Information:
> Source Context system_u:system_r:sssd_t:s0
> Target Context system_u:system_r:unconfined_service_t:s0
> Target Objects Unknown [ key ]
> Source krb5_child
> Source Path /usr/libexec/sssd/krb5_child
> Port <Unknown>
> Host <Unknown>
> Source RPM Packages sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
> Target RPM Packages
> Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Permissive
> Host Name example.com
> Platform Linux example.com 4.4.19-1.el7.x86_64
> #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64
> x86_64
> Alert Count 10
> First Seen 2016-09-28 18:40:00 EDT
> Last Seen 2016-09-28 22:08:41 EDT
> Local ID 8982bbec-38db-485b-9266-57fdaa8a3621
>
> Raw Audit Messages
> type=AVC msg=audit(1475114921.376:90790): avc: denied { write } for
> pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0
>
> type=SYSCALL msg=audit(1475114921.376:90790): arch=x86_64 syscall=add_key
> success=no exit=EACCES a0=7f6987905ffc a1=7ffeed78b1f0 a2=0 a3=0 items=0
> ppid=891 pid=8272 auid=4294967295 uid=1388200053 gid=1388200053
> euid=1388200053 suid=1388200053 fsuid=1388200053 egid=1388200053
> sgid=1388200053 fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child
> exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 key=(null)
>
> Hash: krb5_child,sssd_t,unconfined_service_t,key,write
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list