Bug 952830
Summary: | SELinux prevents realmd from running ipa-client-install correctly | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Stef Walter <stefw> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 19 | CC: | dominick.grift, dpal, dwalsh, mgrepl, mkosek, todoleza, yelley | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-06-12 16:05:44 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 918092 | ||||||
Attachments: |
|
Description
Stef Walter
2013-04-16 19:52:54 UTC
I also get tons of this in /var/log/messages: Apr 16 21:58:41 localhost audispd: queue is full - dropping event Apr 16 21:58:41 localhost audispd: queue is full - dropping event Apr 16 21:58:41 localhost audispd: queue is full - dropping event Apr 16 21:58:41 localhost audispd: queue is full - dropping event Apr 16 21:58:41 localhost audispd: queue is full - dropping event Apr 16 21:58:41 localhost audispd: queue is full - dropping event Apr 16 21:58:41 localhost audispd: queue is full - dropping event Apr 16 21:58:41 localhost audispd: queue is full - dropping event Apr 16 21:58:41 localhost audispd: queue is full - dropping event Apr 16 21:58:41 localhost audispd: queue is full - dropping event Created attachment 736546 [details]
More AVC's after joining/leaving domains multiple times
c081ef1633556c5c5a630df6e30202b345a8be53 fixes this in git, but realmd really needs to be an unconfined domain, and we need to make sure that when it is done setting up the environment all the files it created are labeled correctly. Patrik got this output after running restorecon -R -v -n / restorecon: Warning no default label for /mnt/sysimage/home restorecon: Warning no default label for /var/lib/nfs/rpc_pipefs restorecon: Warning no default label for /tmp/krb5cc_0 restorecon: Warning no default label for /tmp/.Test-unix restorecon: Warning no default label for /tmp/.XIM-unix restorecon: Warning no default label for /run/iprdump.pid restorecon: Warning no default label for /run/iprinit.pid restorecon: Warning no default label for /run/iprupdate.pid restorecon: Warning no default label for /run/lvmetad.pid restorecon: Warning no default label for /run/lock/subsys restorecon: Warning no default label for /run/lock/subsys/iprdump restorecon: Warning no default label for /run/lock/subsys/iprupdate restorecon: Warning no default label for /run/lock/subsys/iprinit restorecon: Warning no default label for /run/initramfs restorecon: Warning no default label for /run/initramfs/.need_shutdown restorecon: Warning no default label for /sys/fs/cgroup/cpuacct restorecon: Warning no default label for /sys/fs/cgroup/cpu restorecon: Warning no default label for /dev/mqueue restorecon: Warning no default label for /dev/pts/0 restorecon: Warning no default label for /dev/pts/ptmx restorecon reset /etc/machine-id context system_u:object_r:etc_t:s0->system_u:object_r:machineid_t:s0 restorecon reset /etc/vconsole.conf context system_u:object_r:etc_runtime_t:s0->system_u:object_r:locale_t:s0 restorecon reset /etc/udev/hwdb.bin context unconfined_u:object_r:net_conf_t:s0->unconfined_u:object_r:etc_t:s0 restorecon reset /etc/pam.d/postlogin-ac context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0 restorecon reset /etc/pam.d/smartcard-auth-ac context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0 restorecon reset /etc/pam.d/fingerprint-auth-ac context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0 restorecon reset /etc/pam.d/system-auth-ac context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0 restorecon reset /etc/pam.d/password-auth-ac context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0 restorecon reset /etc/mail/access.db context system_u:object_r:etc_aliases_t:s0->system_u:object_r:etc_mail_t:s0 restorecon reset /etc/mail/domaintable.db context system_u:object_r:etc_aliases_t:s0->system_u:object_r:etc_mail_t:s0 restorecon reset /etc/mail/virtusertable.db context system_u:object_r:etc_aliases_t:s0->system_u:object_r:etc_mail_t:s0 restorecon reset /etc/mail/mailertable.db context system_u:object_r:etc_aliases_t:s0->system_u:object_r:etc_mail_t:s0 after successfully joining realm, there are some selinux errors: # grep realmd /var/log/audit/audit.log type=USER_AVC msg=audit(1366371060.807:504): pid=423 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.43 spid=1993 tpid=2015 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=SELINUX_ERR msg=audit(1366371065.497:505): security_compute_sid: invalid context system_u:system_r:authconfig_t:s0-s0:c0.c1023 for scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:authconfig_exec_t:s0 tclass=process type=SELINUX_ERR msg=audit(1366371073.524:603): security_compute_sid: invalid context system_u:system_r:authconfig_t:s0-s0:c0.c1023 for scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:authconfig_exec_t:s0 tclass=process Ok I updated policy to handle the SELINUX_ERR, and most of the mislabeled. I am interested in how these etc_runtime_t files are being created? This should only be created by a initrc_t script at boot time. I would like to know if they are there before realmd joins the domain or only afterwards. selinux-policy-3.12.1-39.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-39.fc19 Package selinux-policy-3.12.1-39.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-39.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-7338/selinux-policy-3.12.1-39.fc19 then log in and leave karma (feedback). Package selinux-policy-3.12.1-40.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-40.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-7338/selinux-policy-3.12.1-40.fc19 then log in and leave karma (feedback). This is now in Fedora 19. |