Bug 1734188
| Summary: | SELinux is preventing sssd_be from 'search' accesses on the directory /var/kerberos/krb5. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 31 | CC: | dwalsh, lslebodn, lvrabec, mgrepl, plautrba, tdudlak, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:e8c02170fe102e3da1fcadeac1fea94186d3917220ec0d969f249c440925a1c1;VARIANT_ID=workstation; | ||
| Fixed In Version: | selinux-policy-3.14.4-39.fc31 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-10-29 01:27:49 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle. Changing version to '31'. This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle. Changing version to 31. The issue was introduced in 3.14.4-22 - Label /var/kerberos/krb5 as krb5_keytab_t And IIRC similar avcs were for certmonger_t, dirsrv_t, ipa_dnskey_t, named_t And it is not allowed for ipa_dnskey_t in selinux-policy-3.14.4-29.fc31.noarch Providing more info for previous comment
Aug 16 11:39:35 host.testrelm.test systemd[1]: Starting Certificate monitoring and PKI enrollment...
Aug 16 11:39:35 host.testrelm.test certmonger[25433]: 2019-08-16 11:39:35 [25433] Changing to root directory.
Aug 16 11:39:35 host.testrelm.test certmonger[25433]: 2019-08-16 11:39:35 [25433] Obtaining system lock.
Aug 16 11:39:35 host.testrelm.test systemd[1]: Started Certificate monitoring and PKI enrollment.
Aug 16 11:39:35 host.testrelm.test audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=certmonger comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 16 11:39:35 host.testrelm.test ipa-submit[25436]: GSSAPI client step 1
Aug 16 11:39:35 host.testrelm.test ipa-submit[25436]: GSSAPI client step 1
Aug 16 11:39:35 host.testrelm.test audit[25436]: AVC avc: granted { search } for pid=25436 comm="ipa-submit" name="krb5" dev="dm-0" ino=8502749 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir
Aug 16 11:39:35 host.testrelm.test audit[25436]: AVC avc: granted { search } for pid=25436 comm="ipa-submit" name="user" dev="dm-0" ino=17009975 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir
Aug 16 11:39:35 host.testrelm.test audit[25436]: SYSCALL arch=c000003e syscall=257 success=no exit=-2 a0=ffffff9c a1=55b00b8c9de0 a2=0 a3=0 items=1 ppid=25433 pid=25436 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa-submit" exe="/usr/libexec/certmonger/ipa-submit" subj=system_u:system_r:certmonger_t:s0 key=(null)
Aug 16 11:39:35 host.testrelm.test audit: CWD cwd="/"
Aug 16 11:39:35 host.testrelm.test audit: PATH item=0 name="/var/kerberos/krb5/user/0/client.keytab" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
Aug 16 11:39:35 host.testrelm.test audit: PROCTITLE proctitle="/usr/libexec/certmonger/ipa-submit"
Aug 16 11:39:35 host.testrelm.test ipa-submit[25436]: GSSAPI client step 1
Aug 16 11:39:35 host.testrelm.test ipa-submit[25436]: GSSAPI client step 1
Aug 16 11:39:35 host.testrelm.test ipa-submit[25436]: GSSAPI client step 2
Aug 16 11:41:10 host.testrelm.test ipa-submit[26330]: GSSAPI client step 1
Aug 16 11:41:10 host.testrelm.test ipa-submit[26330]: GSSAPI client step 1
Aug 16 11:41:10 host.testrelm.test audit[26330]: AVC avc: granted { search } for pid=26330 comm="ipa-submit" name="krb5" dev="dm-0" ino=8502749 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir
Aug 16 11:41:10 host.testrelm.test audit[26330]: AVC avc: granted { search } for pid=26330 comm="ipa-submit" name="user" dev="dm-0" ino=17009975 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir
Aug 16 11:41:10 host.testrelm.test audit[26330]: SYSCALL arch=c000003e syscall=257 success=no exit=-2 a0=ffffff9c a1=55e8600e8de0 a2=0 a3=0 items=1 ppid=25433 pid=26330 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa-submit" exe="/usr/libexec/certmonger/ipa-submit" subj=system_u:system_r:certmonger_t:s0 key=(null)
Aug 16 11:41:10 host.testrelm.test audit: CWD cwd="/"
Aug 16 11:41:10 host.testrelm.test audit: PATH item=0 name="/var/kerberos/krb5/user/0/client.keytab" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
Aug 16 11:41:10 host.testrelm.test audit: PROCTITLE proctitle="/usr/libexec/certmonger/ipa-submit"
Aug 16 11:41:10 host.testrelm.test ipa-submit[26330]: GSSAPI client step 1
Aug 16 11:41:10 host.testrelm.test ipa-submit[26330]: GSSAPI client step 1
Aug 16 11:41:10 host.testrelm.test ipa-submit[26330]: GSSAPI client step 2
Aug 16 11:43:01 host.testrelm.test named-pkcs11[27806]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind'
Aug 16 11:43:01 host.testrelm.test named-pkcs11[27806]: loading DynDB instance 'ipa' driver '/usr/lib64/bind/ldap.so'
Aug 16 11:43:01 host.testrelm.test named-pkcs11[27806]: bind-dyndb-ldap version 11.1 compiled at 00:00:00 Jul 24 2019, compiler 9.1.1 20190605 (Red Hat 9.1.1-2)
Aug 16 11:43:01 host.testrelm.test named-pkcs11[27806]: GSSAPI client step 1
Aug 16 11:43:01 host.testrelm.test named-pkcs11[27806]: GSSAPI client step 1
Aug 16 11:43:01 host.testrelm.test audit[27806]: AVC avc: granted { search } for pid=27806 comm="isc-worker0001" name="krb5" dev="dm-0" ino=8502749 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir
Aug 16 11:43:01 host.testrelm.test audit[27806]: AVC avc: granted { search } for pid=27806 comm="isc-worker0001" name="user" dev="dm-0" ino=17009975 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir
Aug 16 11:43:01 host.testrelm.test audit[27806]: SYSCALL arch=c000003e syscall=257 success=no exit=-2 a0=ffffff9c a1=7f6fc17a6780 a2=0 a3=0 items=1 ppid=27805 pid=27806 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0001" exe="/usr/sbin/named-pkcs11" subj=system_u:system_r:named_t:s0 key=(null)
Aug 16 11:43:01 host.testrelm.test audit: CWD cwd="/var/named"
Aug 16 11:43:01 host.testrelm.test audit: PATH item=0 name="/var/kerberos/krb5/user/25/client.keytab" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
Aug 16 11:43:01 host.testrelm.test audit: PROCTITLE proctitle=2F7573722F7362696E2F6E616D65642D706B63733131002D75006E616D6564002D63002F6574632F6E616D65642E636F6E66
Aug 16 11:43:01 host.testrelm.test named-pkcs11[27806]: GSSAPI client step 1
Aug 16 11:43:01 host.testrelm.test named-pkcs11[27806]: GSSAPI client step 2
Aug 16 11:43:01 host.testrelm.test named-pkcs11[27806]: GSSAPI client step 1
Aug 16 11:43:01 host.testrelm.test named-pkcs11[27806]: GSSAPI client step 1
Aug 16 11:43:01 host.testrelm.test audit[27806]: AVC avc: granted { search } for pid=27806 comm="isc-worker0001" name="krb5" dev="dm-0" ino=8502749 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir
Aug 16 11:43:01 host.testrelm.test audit[27806]: AVC avc: granted { search } for pid=27806 comm="isc-worker0001" name="user" dev="dm-0" ino=17009975 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir
Aug 16 11:43:01 host.testrelm.test audit[27806]: SYSCALL arch=c000003e syscall=257 success=no exit=-2 a0=ffffff9c a1=7f6fc17a9230 a2=0 a3=0 items=1 ppid=27805 pid=27806 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0001" exe="/usr/sbin/named-pkcs11" subj=system_u:system_r:named_t:s0 key=(null)
Aug 16 11:43:01 host.testrelm.test audit: CWD cwd="/var/named"
Aug 16 11:43:01 host.testrelm.test audit: PATH item=0 name="/var/kerberos/krb5/user/25/client.keytab" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
Aug 16 11:43:01 host.testrelm.test audit: PROCTITLE proctitle=2F7573722F7362696E2F6E616D65642D706B63733131002D75006E616D6564002D63002F6574632F6E616D65642E636F6E66
Aug 16 11:43:01 host.testrelm.test named-pkcs11[27806]: GSSAPI client step 1
Aug 16 11:43:01 host.testrelm.test named-pkcs11[27806]: GSSAPI client step 2
Aug 16 11:43:04 host.testrelm.test ipa-dnskeysyncd[27794]: ipa-dnskeysyncd: INFO LDAP bind...
Aug 16 11:43:04 host.testrelm.test python3[27794]: GSSAPI client step 1
Aug 16 11:43:04 host.testrelm.test python3[27794]: GSSAPI client step 1
Aug 16 11:43:04 host.testrelm.test audit[27794]: AVC avc: denied { search } for pid=27794 comm="ipa-dnskeysyncd" name="krb5" dev="dm-0" ino=8502749 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
Aug 16 11:43:04 host.testrelm.test audit[27794]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=558ddead8f50 a2=0 a3=0 items=1 ppid=1 pid=27794 auid=4294967295 uid=991 gid=25 euid=991 suid=991 fsuid=991 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="ipa-dnskeysyncd" exe="/usr/bin/python3.7" subj=system_u:system_r:ipa_dnskey_t:s0 key=(null)
Aug 16 11:43:04 host.testrelm.test audit: CWD cwd="/"
Aug 16 11:43:04 host.testrelm.test audit: PATH item=0 name="/var/kerberos/krb5/user/991/client.keytab" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
Aug 16 11:43:04 host.testrelm.test audit: PROCTITLE proctitle=2F7573722F62696E2F707974686F6E33002D45002F7573722F6C6962657865632F6970612F6970612D646E736B657973796E6364
Aug 16 11:43:04 host.testrelm.test python3[27794]: GSSAPI client step 1
Aug 16 11:43:04 host.testrelm.test python3[27794]: GSSAPI client step 2
Aug 16 11:43:04 host.testrelm.test ipa-dnskeysyncd[27794]: ipa-dnskeysyncd: INFO Commencing sync process
Aug 16 11:43:04 host.testrelm.test ipa-dnskeysyncd[27794]: ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND
Aug 16 11:43:06 host.testrelm.test python3[27900]: Configuration.cpp(95): Missing log.level in configuration. Using default value: INFO
Aug 16 11:43:06 host.testrelm.test python3[27900]: Configuration.cpp(95): Missing token.mechanisms in configuration. Using default value: ALL
Aug 16 11:43:06 host.testrelm.test python3[27900]: Configuration.cpp(123): Missing slots.removable in configuration. Using default value: false
Aug 16 11:43:06 host.testrelm.test python3[27900]: GSSAPI client step 1
Aug 16 11:43:06 host.testrelm.test python3[27900]: GSSAPI client step 1
Aug 16 11:43:06 host.testrelm.test audit[27900]: AVC avc: denied { search } for pid=27900 comm="ipa-dnskeysync-" name="krb5" dev="dm-0" ino=8502749 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
Aug 16 11:43:06 host.testrelm.test audit[27900]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55a34b5ef590 a2=0 a3=0 items=1 ppid=27794 pid=27900 auid=4294967295 uid=991 gid=25 euid=991 suid=991 fsuid=991 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="ipa-dnskeysync-" exe="/usr/bin/python3.7" subj=system_u:system_r:ipa_dnskey_t:s0 key=(null)
Aug 16 11:43:06 host.testrelm.test audit: CWD cwd="/"
Aug 16 11:43:06 host.testrelm.test audit: PATH item=0 name="/var/kerberos/krb5/user/991/client.keytab" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
Aug 16 11:43:06 host.testrelm.test audit: PROCTITLE proctitle=2F7573722F62696E2F707974686F6E33002D45002F7573722F6C6962657865632F6970612F6970612D646E736B657973796E632D7265706C696361
Aug 16 11:43:06 host.testrelm.test audit[27900]: AVC avc: denied { search } for pid=27900 comm="ipa-dnskeysync-" name="krb5" dev="dm-0" ino=8502749 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
Aug 16 11:43:06 host.testrelm.test audit[27900]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55a34b46b300 a2=0 a3=0 items=1 ppid=27794 pid=27900 auid=4294967295 uid=991 gid=25 euid=991 suid=991 fsuid=991 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="ipa-dnskeysync-" exe="/usr/bin/python3.7" subj=system_u:system_r:ipa_dnskey_t:s0 key=(null)
Aug 16 11:43:06 host.testrelm.test audit: CWD cwd="/"
Aug 16 11:43:06 host.testrelm.test audit: PATH item=0 name="/var/kerberos/krb5/user/991/client.keytab" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
Aug 16 11:43:06 host.testrelm.test audit: PROCTITLE proctitle=2F7573722F62696E2F707974686F6E33002D45002F7573722F6C6962657865632F6970612F6970612D646E736B657973796E632D7265706C696361
Aug 16 11:43:06 host.testrelm.test python3[27900]: GSSAPI client step 1
Aug 16 11:43:07 host.testrelm.test [27511]: GSSAPI client step 1
Aug 16 11:43:07 host.testrelm.test [27511]: GSSAPI client step 1
Aug 16 11:43:07 host.testrelm.test [27511]: GSSAPI client step 1
Aug 16 11:43:09 host.testrelm.test [27509]: GSSAPI client step 1
Aug 16 11:43:15 host.testrelm.test systemd[1]: Starting System Security Services Daemon...
Aug 16 11:43:15 host.testrelm.test sssd[27947]: Starting up
Aug 16 11:43:15 host.testrelm.test sssd[be[implicit_files]][27948]: Starting up
Aug 16 11:43:15 host.testrelm.test sssd[be[testrelm.test]][27949]: Starting up
Aug 16 11:43:15 host.testrelm.test sssd_be[27949]: GSSAPI client step 1
Aug 16 11:43:15 host.testrelm.test sssd_be[27949]: GSSAPI client step 1
Aug 16 11:43:15 host.testrelm.test audit[27949]: AVC avc: granted { search } for pid=27949 comm="sssd_be" name="krb5" dev="dm-0" ino=8502749 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir
Aug 16 11:43:15 host.testrelm.test audit[27949]: AVC avc: granted { search } for pid=27949 comm="sssd_be" name="user" dev="dm-0" ino=17009975 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir
Aug 16 11:43:15 host.testrelm.test audit[27949]: SYSCALL arch=c000003e syscall=257 success=no exit=-2 a0=ffffff9c a1=55ea36ef4120 a2=0 a3=0 items=1 ppid=27947 pid=27949 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
Aug 16 11:43:15 host.testrelm.test audit: CWD cwd="/"
Aug 16 11:43:15 host.testrelm.test audit: PATH item=0 name="/var/kerberos/krb5/user/0/client.keytab" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
Aug 16 11:43:15 host.testrelm.test audit: PROCTITLE proctitle=2F7573722F6C6962657865632F737373642F737373645F6265002D2D646F6D61696E007465737472656C6D2E74657374002D2D7569640030002D2D6769640030002D2D6C6F676765723D66696C6573
Aug 16 11:43:15 host.testrelm.test sssd_be[27949]: GSSAPI client step 1
Aug 16 11:43:15 host.testrelm.test sssd_be[27949]: GSSAPI client step 2
Aug 16 12:03:20 host.testrelm.test ns-slapd[28270]: [16/Aug/2019:12:03:20.855715211 -0400] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding the replica
tion changelog RUV, this may take several minutes...
Aug 16 12:03:20 host.testrelm.test ns-slapd[28270]: [16/Aug/2019:12:03:20.858393128 -0400] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding replication
changelog RUV complete. Result 0 (Success)
Aug 16 12:03:20 host.testrelm.test ns-slapd[28270]: [16/Aug/2019:12:03:20.859291711 -0400] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding the replica
tion changelog RUV, this may take several minutes...
Aug 16 12:03:20 host.testrelm.test ns-slapd[28270]: [16/Aug/2019:12:03:20.860096311 -0400] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding replication
changelog RUV complete. Result 0 (Success)
Aug 16 12:03:20 host.testrelm.test ns-slapd[28270]: GSSAPI client step 1
Aug 16 12:03:20 host.testrelm.test ns-slapd[28270]: GSSAPI client step 1
Aug 16 12:03:20 host.testrelm.test audit[28270]: AVC avc: granted { search } for pid=28270 comm="ns-slapd" name="krb5" dev="dm-0" ino=8502749 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir
Aug 16 12:03:20 host.testrelm.test audit[28270]: AVC avc: granted { search } for pid=28270 comm="ns-slapd" name="user" dev="dm-0" ino=17009975 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir
Aug 16 12:03:20 host.testrelm.test audit[28270]: SYSCALL arch=c000003e syscall=257 success=no exit=-2 a0=ffffff9c a1=7f365fc9de80 a2=0 a3=0 items=1 ppid=1 pid=28270 auid=4294967295 uid=389 gid=389 euid=389 suid=389 fsuid=389 egid=389 sgid=389 fsgid=389 tty=(none) ses=4294967295 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=system_u:system_r:dirsrv_t:s0 key=(null)
Aug 16 12:03:20 host.testrelm.test audit: CWD cwd="/var/log/dirsrv/slapd-TESTRELM-TEST"
Aug 16 12:03:20 host.testrelm.test audit: PATH item=0 name="/var/kerberos/krb5/user/389/client.keytab" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
Aug 16 12:03:20 host.testrelm.test audit: PROCTITLE proctitle=2F7573722F7362696E2F6E732D736C617064002D44002F6574632F6469727372762F736C6170642D5445535452454C4D2D54455354002D69002F72756E2F6469727372762F736C6170642D5445535452454C4D2D544553542E706964
Aug 16 12:03:20 host.testrelm.test ns-slapd[28270]: GSSAPI client step 1
Aug 16 12:03:20 host.testrelm.test ns-slapd[28270]: GSSAPI client step 1
Aug 16 12:03:20 host.testrelm.test ns-slapd[28270]: GSSAPI client step 2
And as you can see it happen for each application which use gssapi.
but it does not cause any problem becasue neithr ot application have keytab there
[root@host ~]# ls -l /var/kerberos/krb5/user/
total 0
I would reommend to ping krb5 maintainer and ask whether it needs to be really allowed for all apications
which use GSSAPI authentication or there is a way how to disable it globally.
FEDORA-2019-7ef1fde499 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7ef1fde499 selinux-policy-3.14.4-38.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7ef1fde499 FEDORA-2019-7d65c50fd6 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7d65c50fd6 selinux-policy-3.14.4-39.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7d65c50fd6 selinux-policy-3.14.4-39.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Happens on my desktop (a FreeIPA domain member) in current Rawhide. Not sure precisely what triggers it. SELinux is preventing sssd_be from 'search' accesses on the directory /var/kerberos/krb5. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sssd_be should be allowed search access on the krb5 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sssd_be' --raw | audit2allow -M my-sssdbe # semodule -X 300 -i my-sssdbe.pp Additional Information: Source Context system_u:system_r:sssd_t:s0 Target Context system_u:object_r:krb5_keytab_t:s0 Target Objects /var/kerberos/krb5 [ dir ] Source sssd_be Source Path sssd_be Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages krb5-libs-1.17-36.fc31.x86_64 Policy RPM selinux-policy-3.14.4-25.fc31.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.3.0-0.rc1.git3.1.fc31.x86_64 #1 SMP Thu Jul 25 11:51:04 UTC 2019 x86_64 x86_64 Alert Count 760 First Seen 2019-07-10 14:04:44 PDT Last Seen 2019-07-29 15:02:51 PDT Local ID b843d3b4-4384-4860-9eec-2ebc46ecb65e Raw Audit Messages type=AVC msg=audit(1564437771.504:259): avc: denied { search } for pid=1180 comm="sssd_be" name="krb5" dev="dm-2" ino=538145 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0 Hash: sssd_be,sssd_t,krb5_keytab_t,dir,search Version-Release number of selected component: selinux-policy-3.14.4-25.fc31.noarch Additional info: component: selinux-policy reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.3.0-0.rc1.git3.1.fc31.x86_64 type: libreport