Bug 624784
Summary: | SSSD: Krb authentications fail when credential cache directory created on per user basis | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jenny Severance <jgalipea> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
Severity: | high | Docs Contact: | |
Priority: | urgent | ||
Version: | 6.0 | CC: | antillon.maurizio, dwalsh, grajaiya, jgalipea, mmalik, sgallagh, syeghiay |
Target Milestone: | rc | Keywords: | RHELNAK |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-40.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-11-10 21:36:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 579775 |
Description
Jenny Severance
2010-08-17 19:02:08 UTC
Set SELinux to permissive - and authentication is successful and cache file created. This issue has been proposed when we are only considering blocker issues in the current Red Hat Enterprise Linux release. ** If you would still like this issue considered for the current release, ask your support representative to file as a blocker on your behalf. Otherwise ask that it be considered for the next Red Hat Enterprise Linux release. ** Summary: SELinux is preventing /usr/libexec/sssd/sssd_be "chown" access . Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by sssd_be. It is not expected that this access is required by sssd_be and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:sssd_t:s0 Target Context unconfined_u:system_r:sssd_t:s0 Target Objects None [ capability ] Source sssd_be Source Path /usr/libexec/sssd/sssd_be Port <Unknown> Host sgallagh.bos.redhat.com Source RPM Packages sssd-1.3.90-0.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-47.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name sgallagh.bos.redhat.com Platform Linux sgallagh.bos.redhat.com 2.6.33.6-147.2.4.fc13.x86_64 #1 SMP Fri Jul 23 17:14:44 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Tue 17 Aug 2010 02:08:04 PM EDT Last Seen Tue 17 Aug 2010 02:08:04 PM EDT Local ID e9a5e9ea-8c77-4be3-9306-3af6f1c1a95b Line Numbers Raw Audit Messages node=sgallagh.bos.redhat.com type=AVC msg=audit(1282068484.991:29227): avc: denied { chown } for pid=2285 comm="sssd_be" capability=0 scontext=unconfined_u:system_r:sssd_t:s0 tcontext=unconfined_u:system_r:sssd_t:s0 tclass=capability node=sgallagh.bos.redhat.com type=SYSCALL msg=audit(1282068484.991:29227): arch=c000003e syscall=92 success=yes exit=0 a0=19af1b0 a1=32f1 a2=32f1 a3=69 items=0 ppid=2283 pid=2285 auid=13041 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=unconfined_u:system_r:sssd_t:s0 key=(null) Miroslav add allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid }; Steven do you think you need any other capabilities? I am adding it. Confirmed, chown is the only missing capability for this functionality. Fixed in selinux-policy-3.7.19-40.el6.noarch Red Hat Enterprise Linux 6.0 is now available and should resolve the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you. |