Bug 867765

Summary: SELinux prevents sssd start when joining a domain
Product: [Fedora] Fedora Reporter: Karel Srot <ksrot>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 18CC: dominick.grift, dwalsh, maxim, mgrepl, stefw
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-19 07:06:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
AVC denials gathered in permissive none

Description Karel Srot 2012-10-18 09:12:07 UTC 
Description of problem:

Found when following a test scenario:
https://fedoraproject.org/wiki/QA:Testcase_Active_Directory_realmd_join_sssd

# realm join --user=Leela $TESTDOMAIN

sssd was installed and I joing the domain, but sssd service was not running (because of selinux)

# service sssd status
Redirecting to /bin/systemctl status  sssd.service
sssd.service - System Security Services Daemon
	  Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
	  Active: inactive (dead)
	  CGroup: name=systemd:/system/sssd.service

Oct 18 04:18:16 dhcp-25-148 systemd[1]: Stopped System Security Services Daemon.

# getent passwd 'RADI08\Leela'
#

in permissive the sshd started properly:
# getent passwd 'RADI08\Leela'
RADI08\leela:*:535601116:535600513:Turanga Leela:/home/RADI08/leela:/bin/bash


Another bunch of denial I got when leaving the domain:
# realm leave --user=Leela $TESTDOMAIN


Version-Release number of selected component (if applicable):
sssd-1.9.2-1.fc18.i686
selinux-policy-3.11.1-36.fc18.noarch
realmd-0.9-1.fc18.i686


How reproducible:
always

Steps to Reproduce:
follow the test scenario 
https://fedoraproject.org/wiki/QA:Testcase_Active_Directory_realmd_join_sssd
as root
  
Actual result:
sssd didn't start, getent not providing any output
Comment 1 Karel Srot 2012-10-18 09:13:25 UTC 
Created attachment 629246 [details]
AVC denials gathered in permissive
Comment 2 Stef Walter 2012-10-19 05:29:09 UTC 
realmd is starting sssd. More related AVCs here: bug #867767
Comment 3 Miroslav Grepl 2012-10-19 07:06:15 UTC 

*** This bug has been marked as a duplicate of bug 867767 ***