Bug 769301

Summary: SELinux is preventing /usr/sbin/sssd from using the sys_admin capability.
Product: Red Hat Enterprise Linux 6 Reporter: Stephen Gallagher <sgallagh>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: urgent    
Version: 6.3CC: dominick.grift, dwalsh, grajaiya, jgalipea, jhrozek, ksrot, mgrepl, mmalik, sbose, sgallagh, ssorce
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-134.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 769175 Environment:
Last Closed: 2012-06-20 12:30:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 769175    
Bug Blocks:    

Description Stephen Gallagher 2011-12-20 13:29:21 UTC 
This is not an issue with the currently-released SSSD packages in RHEL 6.2. It is pre-emptively opened for a new requirement that we will have in RHEL 6.3.


+++ This bug was initially created as a clone of Bug #769175 +++

Description of problem:


Version-Release number of selected component (if applicable):
sssd-1.7.0-0.20111219T1638Zgitbdd2050.fc15.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Update Fedora 15 with the latest SSSD bits from http://jdennis.fedorapeople.org/ipa-devel/fedora/$releasever/$basearch/os/
2. ipa-client-install 
3. Observe /var/log/messages
  
Actual results:
Dec 20 20:13:50 dhcp201-106 setroubleshoot: SELinux is preventing /usr/sbin/sssd from using the sys_admin capability. For complete SELinux messages. run sealert -l 650ca357-5e3a-455b-b028-4d0afaa8e5d0


Expected results:
No SELinux denials and SSSD should be started successfully.


Additional info:

SELinux is preventing /usr/sbin/sssd from using the sys_admin capability.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that sssd should have the sys_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sssd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

--- Additional comment from sgallagh on 2011-12-20 08:27:31 EST ---

SSSD grew a dependency on the sys_admin capability because it is now using keyctl_join_session_keyring() and keyctl_setperm() to connect to the kernel keyring and store passwords securely while the SSSD is running (such as for deferred kinit operation).

We need this new requirement added to SSSD in the selinux policy.
Comment 4 Daniel Walsh 2012-01-11 21:12:15 UTC 
It has been fixed for a while.  Definitely
Fixed in selinux-policy-3.7.19-134.el6
Comment 7 errata-xmlrpc 2012-06-20 12:30:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html