Bug 1263339
| Summary: | SELinux prevents CIM provider from reading /var/lib/sss/mc/initgroups file | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Patrik Kis <pkis> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.2 | CC: | lvrabec, mgrepl, mmalik, pkis, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-68.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 02:22:26 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Could you collect SELinux denials triggered by these TCs in permissive mode and attach them here? (In reply to Milos Malik from comment #2) > Could you collect SELinux denials triggered by these TCs in permissive mode > and attach them here? ---- type=SYSCALL msg=audit(09/16/2015 12:24:39.107:399) : arch=x86_64 syscall=open success=yes exit=3 a0=0x7f5a00e364a0 a1=O_RDONLY|O_CLOEXEC a2=0x7ffce04e10c4 a3=0x7ffce04e0e00 items=0 ppid=7883 pid=7884 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null) type=AVC msg=audit(09/16/2015 12:24:39.107:399) : avc: denied { open } for pid=7884 comm=cimprovagt path=/var/lib/sss/mc/initgroups dev="dm-0" ino=67300584 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file type=AVC msg=audit(09/16/2015 12:24:39.107:399) : avc: denied { read } for pid=7884 comm=cimprovagt name=initgroups dev="dm-0" ino=67300584 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file ---- type=SYSCALL msg=audit(09/16/2015 12:24:39.107:400) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x3 a1=0x7ffce04e10d0 a2=0x7ffce04e10d0 a3=0x7ffce04e0e30 items=0 ppid=7883 pid=7884 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null) type=AVC msg=audit(09/16/2015 12:24:39.107:400) : avc: denied { getattr } for pid=7884 comm=cimprovagt path=/var/lib/sss/mc/initgroups dev="dm-0" ino=67300584 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |
Description of problem: The following AVC denaul appeared on test systems: time->Sat Aug 22 23:09:09 2015 type=SYSCALL msg=audit(1440299349.536:3441): arch=80000015 syscall=5 success=no exit=-13 a0=1001021a470 a1=80000 a2=3fffc7660ecc a3=0 items=0 ppid=9382 pid=9383 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null) type=AVC msg=audit(1440299349.536:3441): avc: denied { read } for pid=9383 comm="cimprovagt" name="initgroups" dev="dm-0" ino=68663640 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file Version-Release number of selected component (if applicable): selinux-policy-3.13.1-47.el7 sssd-1.13.0-26.el7 tog-pegasus-2.14.1-2.el7 openlmi-python-base-0.5.0-3.el7 How reproducible: always Steps to Reproduce: 1. Join to IPA/AD via realmd and openlmi