| Summary: | SELinux AVC deny when using KDCproxy (krb5_child sssd tcp) | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Aly <opennetworksolutions> | |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.2 | CC: | abokovoy, lslebodn, lvrabec, mgrepl, mkolaja, mmalik, opennetworksolutions, plautrba, pvoborni, pvrabec, rcritten, ssekidde, tscherf | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1414308 (view as bug list) | Environment: | ||
| Last Closed: | 2017-01-17 14:57:25 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 1414308 | |||
I tested on rhel7.3 and it should work there
sh# audit2why < pok.avc
type=AVC msg=audit(1480081889.310:506): avc: denied { name_connect } for pid=3585 comm="krb5_child" dest=443 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
sh# rpm -q selinux-policy
selinux-policy-3.13.1-102.el7_3.4.noarch
Yes, the fix is present in RHEL-7.3: # rpm -qa selinux-policy\* selinux-policy-targeted-3.13.1-102.el7_3.4.noarch selinux-policy-3.13.1-102.el7_3.4.noarch selinux-policy-devel-3.13.1-102.el7_3.4.noarch # sesearch -s sssd_t -t http_port_t -c tcp_socket -p name_connect -A -C Found 2 semantic av rules: allow sssd_t http_port_t : tcp_socket name_connect ; DT allow nsswitch_domain reserved_port_type : tcp_socket name_connect ; [ nis_enabled ] # Aly, could you please open a customer case to facilitate a back port to RHEL 7.2? Alexander, No problem. I will open a ticket. Thank you very much Aly This should be backported from Fedora. Alexander, I have opened a ticket for this issue on behalf of the client to have this back-ported to 7.2 I will email you the case number directly. Aly |
Description of problem: krb5_child fails to retrieve a ticket from the KDC via HTTPS(TCP[KDCproxy])causing SSSD to not complete authentication. Version-Release number of selected component (if applicable): [root@lbclient03 ~]# rpm -qa | grep ipa-client ipa-client-4.2.0-15.el7_2.19.x86_64 How reproducible: Always Steps to Reproduce: 1. Configure krb5.conf to use a KDCProxy (https) 2. Ensure SELinux is enabled 3. Attempt to authenticate Actual results: krb5_child is denied TCP access by SELinux and isn't able to contact the KDC which prevents SSSD from completing the authentication. Expected results: krb5_child should be allowed TCP access to reach the KDC and get a ticket to allow SSSD to complete authentication Additional info: type=AVC msg=audit(1480082500.050:730): avc: denied { name_connect } for pid=3880 comm="krb5_child" dest=443 scontext=system_u:system_r:sssd_t:s0 --- log snippets --- [root@lbclient03 ~]# grep AVC /var/log/audit/audit.log | egrep "sssd|krb5" | less type=AVC msg=audit(1480081889.294:504): avc: denied { name_connect } for pid=3583 comm="krb5_child" dest=443 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1480081889.295:505): avc: denied { name_connect } for pid=3583 comm="krb5_child" dest=443 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1480081889.310:506): avc: denied { name_connect } for pid=3585 comm="krb5_child" dest=443 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket type=USER_AVC msg=audit(1480082399.544:688): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1480082490.434:710): avc: denied { name_connect } for pid=3850 comm="krb5_child" dest=443 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket type=USER_AVC msg=audit(1480082498.108:720): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=3) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1480082500.050:730): avc: denied { name_connect } for pid=3880 comm="krb5_child" dest=443 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket