| Summary: | sssd cannot write to tmpfs | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Nikolai Kondrashov <nikolai.kondrashov> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | jhrozek, kbanerje |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-11-26 16:33:52 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
*** This bug has been marked as a duplicate of bug 1034833 *** |
Description of problem: Sssd is prevented by SELinux from writing to tmpfs (exact location unclear ATM). This breaks sssd authentication against Kerberos servers, when a krb5_child process needs to write a TGT to a temporary file. This is manifested by the following messages in /var/log/sssd/krb5_child.log: (Mon Nov 25 20:16:55 2013) [[sssd[krb5_child[9824]]]] [get_and_save_tgt] (0x0020): 958: [13][Permission denied] (Mon Nov 25 20:16:55 2013) [[sssd[krb5_child[9824]]]] [map_krb5_error] (0x0020): 979: [13][Permission denied] and is reflected by the following message in /var/log/audit/audit.log: type=AVC msg=audit(1385403415.267:725): avc: denied { write } for pid=9824 comm="krb5_child" path=2F202864656C6574656429 dev="tmpfs" ino=31589 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file Version-Release number of selected component (if applicable): selinux-policy-3.12.1-103.el7.noarch sssd-common-1.11.2-1.el7.x86_64 sssd-ad-1.11.2-1.el7.x86_64 sssd-1.11.2-1.el7.x86_64 libsss_idmap-1.11.2-1.el7.x86_64 sssd-client-1.11.2-1.el7.x86_64 sssd-krb5-common-1.11.2-1.el7.x86_64 sssd-ipa-1.11.2-1.el7.x86_64 sssd-krb5-1.11.2-1.el7.x86_64 sssd-proxy-1.11.2-1.el7.x86_64 python-sssdconfig-1.11.2-1.el7.noarch sssd-common-pac-1.11.2-1.el7.x86_64 sssd-ldap-1.11.2-1.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Setup sssd with an active directory server as the authentication provider for a domain. 2. Ensure SELinux policy is enforced. 3. Attempt to authenticate as a domain user using "su - <user>" and entering correct password. 4. Disable SELinux policy. 5. Attempt to authenticate again. Actual results: "su" fails with "su: Authentication failure" response. "su" succeeds. Expected results: "su" succeeds. "su" succeeds.