Bug 1649305

Summary: chpasswd gets SELinux denial: Unable to open config database [/var/lib/sss/db/config.ldb]
Product: [Fedora] Fedora Reporter: Katerina Koukiou <kkoukiou>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: dwalsh, lslebodn, lvrabec, mgrepl, mpitt, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1654592 (view as bug list) Environment:
Last Closed: 2018-12-07 13:22:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1654592    

Description Katerina Koukiou 2018-11-13 11:10:03 UTC
Description of problem: A recent Fedora 29 with testing repos enabled causes this new SELinux violation:

# journalctl -b | grep type=14
Nov 13 05:52:34 localhost.localdomain kernel: audit: type=1400 audit(1542106354.631:368): avc:  denied  { write } for  pid=1925 comm="sss_cache" name="config.ldb" dev="dm-0" ino=8744743 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0


Version-Release number of selected component (if applicable):
shadow-utils-4.6-4.fc29.x86_64 (provides chpasswd)
sssd-2.0.0-4.fc29.x86_64
selinux-policy-3.14.2-42.fc29.noarch
kernel-4.18.17-300.fc29.x86_64


How reproducible: Always


Steps to Reproduce:
1. Create current Fedora 29 with testing repositories enabled and SELinux installed
2. Create a test user
3. Try to change password of test user with chpasswd

Actual results:

[root@localhost ~]# journalctl -b | grep type=14

[root@localhost ~]# chpasswd
test:foobar  
(Tue Nov 13 05:52:34:643059 2018) [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb]
Could not open available domains
chpasswd: sss_cache exited with status 5
chpasswd: Failed to flush the sssd cache.
(Tue Nov 13 05:52:34:675252 2018) [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb]
Could not open available domains
chpasswd: sss_cache exited with status 5
chpasswd: Failed to flush the sssd cache.

[root@localhost ~]# journalctl -b | grep type=14
Nov 13 05:52:34 localhost.localdomain kernel: audit: type=1400 audit(1542106354.631:368): avc:  denied  { write } for  pid=1925 comm="sss_cache" name="config.ldb" dev="dm-0" ino=8744743 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0
Nov 13 05:52:34 localhost.localdomain kernel: audit: type=1400 audit(1542106354.674:369): avc:  denied  { write } for  pid=1927 comm="sss_cache" name="config.ldb" dev="dm-0" ino=8744743 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0

Comment 1 Lukas Slebodnik 2018-12-07 13:22:19 UTC

*** This bug has been marked as a duplicate of bug 1640255 ***