Bug 1734387

Summary: sssd_be avc: denied { search }
Product: Red Hat Enterprise Linux 8 Reporter: Steeve Goveas <sgoveas>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.1CC: jhrozek, lvrabec, mmalik, plautrba, ssekidde, zpytela
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-30 13:02:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steeve Goveas 2019-07-30 12:19:44 UTC
Steps to Reproduce:
http://ci-vm-10-0-148-68.hosted.upshift.rdu2.redhat.com/sssd-nightly-tier2/master/1/krb_minssf/restraint.01/

Actual results:

Expected results:
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31
selinux-policy-3.14.3-12.el8.noarch
----
time->Tue Jul 30 06:20:23 2019
type=PROCTITLE msg=audit(1564482023.517:1770): proctitle=2F7573722F6C6962657865632F737373642F737373645F6265002D2D646F6D61696E004C4441502D4B524235002D2D7569640030002D2D6769640030002D2D6C6F676765723D66696C6573
type=SYSCALL msg=audit(1564482023.517:1770): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55eeb5136b90 a2=0 a3=0 items=0 ppid=28075 pid=28077 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1564482023.517:1770): avc:  denied  { search } for  pid=28077 comm="sssd_be" name="krb5" dev="vda1" ino=9186485 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0


Additional info:

Comment 1 Lukas Vrabec 2019-07-30 13:02:55 UTC

*** This bug has been marked as a duplicate of bug 1734399 ***