Bug 1303874

Summary: AVC seen with su login for IPA user
Product: Red Hat Enterprise Linux 7 Reporter: Kaleem <ksiddiqu>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED NOTABUG QA Contact: Patrik Kis <pkis>
Severity: medium Docs Contact:
Priority: high    
Version: 7.2CC: ksiddiqu, lvrabec, mgrepl, mmalik, nsoman, pkis, plautrba, pvoborni, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1333270 (view as bug list) Environment:
Last Closed: 2016-05-31 10:06:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1333270    
Attachments:
Description Flags
beaker avc log file none

Description Kaleem 2016-02-02 10:02:56 UTC 
Created attachment 1120367 [details]
beaker avc log file

Description of problem:
Following AVC seen when a IPA user tries su.( su - testuser1 -c 'touch /tmp/mytestfile.user1' )

snip from log:
==============
type=AVC msg=audit(1454404629.071:363): avc:  denied  { search } for  pid=686 comm="systemd-logind" name="yp" dev="dm-0" ino=134323567 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
type=AVC msg=audit(1454404629.072:364): avc:  denied  { name_connect } for  pid=686 comm="systemd-logind" dest=111 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket

Version-Release number of selected component (if applicable):
[root@dell-per300-01 ~]# rpm -q ipa-client sssd selinux-policy
ipa-client-4.2.0-15.el7_2.5.x86_64
sssd-1.13.0-40.el7_2.1.x86_64
selinux-policy-3.13.1-60.el7_2.2.noarch
[root@dell-per300-01 ~]# 

How reproducible:
Always

Steps to Reproduce:
1. Setup an IPA server and and a NIS Server

2. Migrate all data from NIS server to IPA server.

3. Configure a NIS client with yp* tools to fetch data from IPA Server. 

4. Add a user on IPA master and try to execute su with that user on NIS client. No AVC is seen. User Deleted. 

5. Enroll NIS client machine of step 3 to IPA server as ipa client.

6. Same user of step 4 added again on IPA master.

7. Try to execute the su with step 6 user

Actual results:
Following AVC seen (Please find the attached 

type=AVC msg=audit(1454404629.071:363): avc:  denied  { search } for  pid=686 comm="systemd-logind" name="yp" dev="dm-0" ino=134323567 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
type=AVC msg=audit(1454404629.072:364): avc:  denied  { name_connect } for  pid=686 comm="systemd-logind" dest=111 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket

Expected results:
NO AVC should be there.

Additional info:

(1) Please find the attached beaker avc log file for reference.
Comment 2 Lukas Vrabec 2016-04-27 08:38:41 UTC 
Hi, 

Could you set SELinux boolean "nis_enabled" on affected machine? 

# semanage boolean -m --on nis_enabled
Comment 4 Lukas Vrabec 2016-05-31 10:06:51 UTC 
Thank you.

Closing as NOTABUG.