Bug 1303874
Summary: | AVC seen with su login for IPA user | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Kaleem <ksiddiqu> | ||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
Status: | CLOSED NOTABUG | QA Contact: | Patrik Kis <pkis> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 7.2 | CC: | ksiddiqu, lvrabec, mgrepl, mmalik, nsoman, pkis, plautrba, pvoborni, pvrabec, ssekidde | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 1333270 (view as bug list) | Environment: | |||||
Last Closed: | 2016-05-31 10:06:51 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1333270 | ||||||
Attachments: |
|
Hi, Could you set SELinux boolean "nis_enabled" on affected machine? # semanage boolean -m --on nis_enabled Thank you. Closing as NOTABUG. |
Created attachment 1120367 [details] beaker avc log file Description of problem: Following AVC seen when a IPA user tries su.( su - testuser1 -c 'touch /tmp/mytestfile.user1' ) snip from log: ============== type=AVC msg=audit(1454404629.071:363): avc: denied { search } for pid=686 comm="systemd-logind" name="yp" dev="dm-0" ino=134323567 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir type=AVC msg=audit(1454404629.072:364): avc: denied { name_connect } for pid=686 comm="systemd-logind" dest=111 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket Version-Release number of selected component (if applicable): [root@dell-per300-01 ~]# rpm -q ipa-client sssd selinux-policy ipa-client-4.2.0-15.el7_2.5.x86_64 sssd-1.13.0-40.el7_2.1.x86_64 selinux-policy-3.13.1-60.el7_2.2.noarch [root@dell-per300-01 ~]# How reproducible: Always Steps to Reproduce: 1. Setup an IPA server and and a NIS Server 2. Migrate all data from NIS server to IPA server. 3. Configure a NIS client with yp* tools to fetch data from IPA Server. 4. Add a user on IPA master and try to execute su with that user on NIS client. No AVC is seen. User Deleted. 5. Enroll NIS client machine of step 3 to IPA server as ipa client. 6. Same user of step 4 added again on IPA master. 7. Try to execute the su with step 6 user Actual results: Following AVC seen (Please find the attached type=AVC msg=audit(1454404629.071:363): avc: denied { search } for pid=686 comm="systemd-logind" name="yp" dev="dm-0" ino=134323567 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir type=AVC msg=audit(1454404629.072:364): avc: denied { name_connect } for pid=686 comm="systemd-logind" dest=111 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket Expected results: NO AVC should be there. Additional info: (1) Please find the attached beaker avc log file for reference.