Bug 1649305
| Summary: | chpasswd gets SELinux denial: Unable to open config database [/var/lib/sss/db/config.ldb] | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Katerina Koukiou <kkoukiou> | |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 29 | CC: | dwalsh, lslebodn, lvrabec, mgrepl, mpitt, plautrba | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1654592 (view as bug list) | Environment: | ||
| Last Closed: | 2018-12-07 13:22:19 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1654592 | |||
*** This bug has been marked as a duplicate of bug 1640255 *** |
Description of problem: A recent Fedora 29 with testing repos enabled causes this new SELinux violation: # journalctl -b | grep type=14 Nov 13 05:52:34 localhost.localdomain kernel: audit: type=1400 audit(1542106354.631:368): avc: denied { write } for pid=1925 comm="sss_cache" name="config.ldb" dev="dm-0" ino=8744743 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0 Version-Release number of selected component (if applicable): shadow-utils-4.6-4.fc29.x86_64 (provides chpasswd) sssd-2.0.0-4.fc29.x86_64 selinux-policy-3.14.2-42.fc29.noarch kernel-4.18.17-300.fc29.x86_64 How reproducible: Always Steps to Reproduce: 1. Create current Fedora 29 with testing repositories enabled and SELinux installed 2. Create a test user 3. Try to change password of test user with chpasswd Actual results: [root@localhost ~]# journalctl -b | grep type=14 [root@localhost ~]# chpasswd test:foobar (Tue Nov 13 05:52:34:643059 2018) [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb] Could not open available domains chpasswd: sss_cache exited with status 5 chpasswd: Failed to flush the sssd cache. (Tue Nov 13 05:52:34:675252 2018) [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb] Could not open available domains chpasswd: sss_cache exited with status 5 chpasswd: Failed to flush the sssd cache. [root@localhost ~]# journalctl -b | grep type=14 Nov 13 05:52:34 localhost.localdomain kernel: audit: type=1400 audit(1542106354.631:368): avc: denied { write } for pid=1925 comm="sss_cache" name="config.ldb" dev="dm-0" ino=8744743 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0 Nov 13 05:52:34 localhost.localdomain kernel: audit: type=1400 audit(1542106354.674:369): avc: denied { write } for pid=1927 comm="sss_cache" name="config.ldb" dev="dm-0" ino=8744743 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0