Bug 1122866

Summary: debug log has "Unable to change mtime of "/etc/krb5.conf" [13]: Permission denied" on sssd startup
Product: Red Hat Enterprise Linux 6 Reporter: Kaushik Banerjee <kbanerje>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.6CC: dpal, dwalsh, grajaiya, jgalipea, jhrozek, lslebodn, lvrabec, mgrepl, mkosek, mmalik, nalin, pbrezina, preichl, rmainz, tlavigne
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-253.el6 Doc Type: Bug Fix
Doc Text:
Cause: Starting/Restarting sssd. Consequence: sssd daemon cannot write to krb5 config file. Fix: Add selinux rule that sssd daemon can write to krb5 config file. Result: Now sssd daemon can write to krb5 config file.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 08:03:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kaushik Banerjee 2014-07-24 09:07:56 UTC 
Description of problem:
debug log has "Unable to change mtime of "/etc/krb5.conf" [13]: Permission denied" on sssd restart

Version-Release number of selected component (if applicable):
sssd-1.11.6-4.el6
selinux-policy-3.7.19-245.el6

How reproducible:
Always

Steps to Reproduce:
1. Make sure selinux is in enforcing mode
2. Join client to AD Server using "net join"
3. Configure sssd to use ad provider
4. Start/restart sssd

Actual results:

Domain log shows:

(Thu Jul 24 04:41:36 2014) [sssd[be[sssdad2012.com]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [sssdad2012.com] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_sssdad2012_com]
(Thu Jul 24 04:41:36 2014) [sssd[be[sssdad2012.com]]] [sss_krb5_touch_config] (0x0020): Unable to change mtime of "/etc/krb5.conf" [13]: Permission denied
(Thu Jul 24 04:41:36 2014) [sssd[be[sssdad2012.com]]] [sss_write_domain_mappings] (0x0020): Unable to change last modification time of krb5.conf. Created mappings may not be loaded.


Expected results:


Additional info:
Setting selinux to permissive doesn't show this message on sssd restart. But I don't any AVCs being generated.
Comment 2 Nalin Dahyabhai 2014-07-24 12:47:17 UTC 
Can you run "semodule -DB" to tweak your system's policy to disable "dontaudit" rules, and see if denials start getting logged?
Comment 3 Kaushik Banerjee 2014-07-24 13:29:41 UTC 
Thanks Nalin,

I now see the following avc:
type=AVC msg=audit(1406208380.958:67773): avc:  denied  { write } for  pid=14763 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=6329 scontext=unconfined_u:system_r:sssd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file
Comment 4 Jakub Hrozek 2014-07-24 13:37:38 UTC 
Cool, I didn't know about semodul -DB.

Per comment #3, moving to selinux-policy. We need the sssd_be process to be able to touch the krb5.conf, similar to what we allow on el7.
Comment 5 Miroslav Grepl 2014-07-25 10:02:43 UTC 
Yes we dontaudit this rule

#============= sssd_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow sssd_t krb5_conf_t:file write;
Comment 6 Miroslav Grepl 2014-07-25 10:04:04 UTC 
Also we don't allow it in RHEl7/Fedora.


$ sesearch -A -s sssd_t -t krb5_conf_t
Found 2 semantic av rules:
   allow nsswitch_domain krb5_conf_t : file { ioctl read getattr lock open } ; 
   allow nsswitch_domain krb5_conf_t : dir { getattr search open } ;
Comment 7 Jakub Hrozek 2014-07-31 12:55:08 UTC 
(In reply to Miroslav Grepl from comment #6)
> Also we don't allow it in RHEl7/Fedora.
> 
> 
> $ sesearch -A -s sssd_t -t krb5_conf_t
> Found 2 semantic av rules:
>    allow nsswitch_domain krb5_conf_t : file { ioctl read getattr lock open }
> ; 
>    allow nsswitch_domain krb5_conf_t : dir { getattr search open } ;

Yes, we should also allow sssd to "touch" krb5.conf in RHEL-7 and Fedora.
Comment 8 Kaushik Banerjee 2014-08-28 09:39:11 UTC 
Any update? Can we get it fixed in RHEL6.6?
Comment 9 Miroslav Grepl 2014-09-01 11:11:01 UTC 
commit b71fe9935e0d39152304dbf4104e302ccec46e82
Author: Miroslav Grepl <mgrepl>
Date:   Thu Aug 28 15:04:22 2014 +0200

    sssd needs to be able write krb5.conf
Comment 12 errata-xmlrpc 2014-10-14 08:03:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html