Bug 889251

Summary: SELinux is preventing /usr/libexec/sssd/krb5_child from name_connect access on the tcp_socket
Product: Red Hat Enterprise Linux 6 Reporter: Kaushik Banerjee <kbanerje>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: dwalsh, jhrozek, mmalik, tlavigne
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-190.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 959217 (view as bug list) Environment:
Last Closed: 2013-02-21 08:33:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 959217    

Description Kaushik Banerjee 2012-12-20 15:45:21 UTC 
Description of problem:
SELinux is preventing /usr/libexec/sssd/krb5_child from name_connect access on the tcp_socket

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-185.el6

How reproducible:
Always

Steps to Reproduce:
1. Setup sssd for krb5_kpasswd failover. Snippet of domain section as follows:
[domain/LDAP-KRB5]
debug_level = 0xFFF0
id_provider = ldap
ldap_uri = ldap://ldapserver.example.com
ldap_search_base = dc=example,dc=com
auth_provider = krb5
krb5_server = kdc1.example.com
krb5_kpasswd = invalidkdc.example.com,kdc1.example.com

2. Try to auth as a user and change password
# ssh -l puser1 localhost
puser1@localhost's password: 
Last login: Thu Dec 20 21:06:26 2012 from localhost
-sh-4.1$ passwd
Changing password for user puser1.
Current Password: 
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
-sh-4.1$ 

  
Actual results:
Password change works. However, an avc appears:
type=AVC msg=audit(1355985410.909:543): avc:  denied  { name_connect } for  pid=15551 comm="krb5_child" dest=464 scontext=unconfined_u:system_r:sssd_t:s0 tcontext=system_u:object_r:kerberos_password_port_t:s0 tclass=tcp_socket

Expected results:
avc shouldn't appear.

Additional info:
Comment 1 Miroslav Grepl 2012-12-20 21:37:47 UTC 
Backporting from Fedora.
Comment 4 errata-xmlrpc 2013-02-21 08:33:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html