Bug 1362688
| Summary: | p11_child denied access to ipc_lock | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Roshni <rpattath> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | aakkiang, jhrozek, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | Keywords: | TestBlocker |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-93.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 02:35:45 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1267656 | ||
Seeing the following when using a card that has certs issued by RHCS CA. Please let me know if I have to open a new bug for this
type=USER_AUTH msg=audit(1470237856.031:203): pid=2926 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="ipasmartcarduser1" exe="/usr/libexec/gdm-session-worker" hostname=? addr=? terminal=? res=failed'
type=USER_LOGIN msg=audit(1470237856.032:204): pid=2926 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='uid=1023600005 exe="/usr/libexec/gdm-session-worker" hostname=? addr=? terminal=? res=failed'
type=SERVICE_START msg=audit(1470237857.799:205): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1470237858.143:206): avc: denied { name_connect } for pid=2962 comm="p11_child" dest=8080 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1470237858.143:206): arch=c000003e syscall=42 success=no exit=-13 a0=c a1=7ffe2c9ca110 a2=10 a3=7ffe2c9c9c80 items=0 ppid=853 pid=2962 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="p11_child" exe="/usr/libexec/sssd/p11_child" subj=system_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1470237858.163:207): avc: denied { name_connect } for pid=2962 comm="p11_child" dest=8080 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1470237858.163:207): arch=c000003e syscall=42 success=no exit=-13 a0=c a1=7ffe2c9ca110 a2=10 a3=b items=0 ppid=853 pid=2962 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="p11_child" exe="/usr/libexec/sssd/p11_child" subj=system_u:system_r:sssd_t:s0 key=(null)
This bug is a blocker for testing IPA/SSSD smart card feature. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |
Description of problem: p11_child denied access to ipc_lock Version-Release number of selected component (if applicable): selinux-policy-3.13.1-92.el7 sssd-1.14.0-14.el7 How reproducible: always Steps to Reproduce: 1. Smartcard with certificates issued by IPA CA fails to login 2. 3. Actual results: Smartcard login fails Expected results: Smartcard login should be successful Additional info: SELinux is preventing /usr/libexec/sssd/p11_child from using the ipc_lock capability. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that p11_child should have the ipc_lock capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'p11_child' --raw | audit2allow -M my-p11child # semodule -i my-p11child.pp Additional Information: Source Context system_u:system_r:sssd_t:s0 Target Context system_u:system_r:sssd_t:s0 Target Objects Unknown [ capability ] Source p11_child Source Path /usr/libexec/sssd/p11_child Port <Unknown> Host dhcp129-123.testrelm.test Source RPM Packages sssd-common-1.14.0-14.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-92.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name dhcp129-123.testrelm.test Platform Linux dhcp129-123.testrelm.test 3.10.0-481.el7.x86_64 #1 SMP Wed Jul 27 18:24:27 EDT 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-08-02 16:45:55 EDT Last Seen 2016-08-02 16:45:55 EDT Local ID e7a3a2d1-e4c0-4094-b423-4ffcc979625b Raw Audit Messages type=AVC msg=audit(1470170755.572:240): avc: denied { ipc_lock } for pid=4462 comm="p11_child" capability=14 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=capability type=SYSCALL msg=audit(1470170755.572:240): arch=x86_64 syscall=mlock success=yes exit=0 a0=7f0aa9fb5a80 a1=6 a2=28 a3=7ffebc8e3b20 items=0 ppid=4269 pid=4462 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=p11_child exe=/usr/libexec/sssd/p11_child subj=system_u:system_r:sssd_t:s0 key=(null) Hash: p11_child,sssd_t,sssd_t,capability,ipc_lock