Bug 1122866
Summary: | debug log has "Unable to change mtime of "/etc/krb5.conf" [13]: Permission denied" on sssd startup | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Kaushik Banerjee <kbanerje> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.6 | CC: | dpal, dwalsh, grajaiya, jgalipea, jhrozek, lslebodn, lvrabec, mgrepl, mkosek, mmalik, nalin, pbrezina, preichl, rmainz, tlavigne |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-253.el6 | Doc Type: | Bug Fix |
Doc Text: |
Cause: Starting/Restarting sssd.
Consequence: sssd daemon cannot write to krb5 config file.
Fix: Add selinux rule that sssd daemon can write to krb5 config file.
Result: Now sssd daemon can write to krb5 config file.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2014-10-14 08:03:44 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Kaushik Banerjee
2014-07-24 09:07:56 UTC
Can you run "semodule -DB" to tweak your system's policy to disable "dontaudit" rules, and see if denials start getting logged? Thanks Nalin, I now see the following avc: type=AVC msg=audit(1406208380.958:67773): avc: denied { write } for pid=14763 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=6329 scontext=unconfined_u:system_r:sssd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file Cool, I didn't know about semodul -DB. Per comment #3, moving to selinux-policy. We need the sssd_be process to be able to touch the krb5.conf, similar to what we allow on el7. Yes we dontaudit this rule #============= sssd_t ============== #!!!! This avc has a dontaudit rule in the current policy allow sssd_t krb5_conf_t:file write; Also we don't allow it in RHEl7/Fedora. $ sesearch -A -s sssd_t -t krb5_conf_t Found 2 semantic av rules: allow nsswitch_domain krb5_conf_t : file { ioctl read getattr lock open } ; allow nsswitch_domain krb5_conf_t : dir { getattr search open } ; (In reply to Miroslav Grepl from comment #6) > Also we don't allow it in RHEl7/Fedora. > > > $ sesearch -A -s sssd_t -t krb5_conf_t > Found 2 semantic av rules: > allow nsswitch_domain krb5_conf_t : file { ioctl read getattr lock open } > ; > allow nsswitch_domain krb5_conf_t : dir { getattr search open } ; Yes, we should also allow sssd to "touch" krb5.conf in RHEL-7 and Fedora. Any update? Can we get it fixed in RHEL6.6? commit b71fe9935e0d39152304dbf4104e302ccec46e82 Author: Miroslav Grepl <mgrepl> Date: Thu Aug 28 15:04:22 2014 +0200 sssd needs to be able write krb5.conf Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1568.html |