RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1027302 - [gdm] login of IPA user via GDM does not work because of SELinux denial
Summary: [gdm] login of IPA user via GDM does not work because of SELinux denial
Keywords:
Status: CLOSED DUPLICATE of bug 887193
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.4
Hardware: Unspecified
OS: Unspecified
high
urgent
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: Namita Soman
URL:
Whiteboard: virt
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-06 14:01 UTC by Jiri Belka
Modified: 2013-11-20 15:09 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-20 14:57:45 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
audit.log (21.65 KB, application/x-gzip)
2013-11-13 15:59 UTC, Jiri Belka 		no flags Details
View All

Description Jiri Belka 2013-11-06 14:01:37 UTC 
Description of problem:
SSO on RHEL6.5 not working because of SELinux

# grep denied /var/log/audit/audit.log 
type=AVC msg=audit(1383745541.043:442): avc:  denied  { create } for  pid=13105 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=guest_u:guest_r:oddjob_mkhomedir_t:s0 tclass=key
type=AVC msg=audit(1383745544.164:446): avc:  denied  { read } for  pid=1890 comm="ovirt-guest-age" name="online" dev=sysfs ino=23 scontext=system_u:system_r:rhev_agentd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1383745544.164:446): avc:  denied  { open } for  pid=1890 comm="ovirt-guest-age" name="online" dev=sysfs ino=23 scontext=system_u:system_r:rhev_agentd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file

# sealert -a /var/log/audit/audit.log 
100% donefound 2 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/libexec/gdm-session-worker from create access on the key .

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that gdm-session-worker should be allowed create access on the  key by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gdm-session-wor /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


--------------------------------------------------------------------------------

SELinux is preventing /usr/bin/python from read access on the file online.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that python should be allowed read access on the online file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ovirt-guest-age /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

...snip...
Dummy-2::INFO::2013-11-06 14:45:39,075::OVirtAgentLogic::169::root::Received an external command: login...
Dummy-2::DEBUG::2013-11-06 14:45:39,075::OVirtAgentLogic::201::root::User log-in (credentials = '\x00\x00\x00,vdcadmin.lab.eng.brq.redhat.com*****
***\x00')
Dummy-2::INFO::2013-11-06 14:45:39,076::CredServer::207::root::The following users are allowed to connect: [0]
Dummy-2::DEBUG::2013-11-06 14:45:39,076::CredServer::272::root::Token: 776124
Dummy-2::INFO::2013-11-06 14:45:39,076::CredServer::273::root::Opening credentials channel...
Dummy-2::INFO::2013-11-06 14:45:39,078::CredServer::132::root::Emitting user authenticated signal (776124).
CredChannel::DEBUG::2013-11-06 14:45:39,198::CredServer::166::root::Receiving user's credential ret = 2 errno = 0
CredChannel::DEBUG::2013-11-06 14:45:39,198::CredServer::177::root::cmsgp: len=28 level=1 type=2
CredChannel::INFO::2013-11-06 14:45:39,198::CredServer::225::root::Incomming connection from user: 0 process: 13105
CredChannel::INFO::2013-11-06 14:45:39,198::CredServer::232::root::Sending user's credential (token: 776124)
Dummy-2::INFO::2013-11-06 14:45:39,199::CredServer::277::root::Credentials channel was closed.
Dummy-2::DEBUG::2013-11-06 14:45:39,199::OVirtAgentLogic::158::root::AgentLogicBase::doListen() - in loop before vio.read
Dummy-1::DEBUG::2013-11-06 14:45:44,165::OVirtAgentLogic::225::root::AgentLogicBase::sendUserInfo - cur_user = 'root'
Dummy-1::DEBUG::2013-11-06 14:45:44,213::GuestAgentLinux2::81::root::PkgMgr: list_pkgs returns [['kernel-2.6.32-430.el6', 'kernel-2.6.32-428.el6', 'rhevm-guest
-agent-common-1.0.8-4.el6ev', 'xorg-x11-drv-qxl-0.1.0-7.el6']]
Dummy-2::INFO::2013-11-06 14:45:47,556::OVirtAgentLogic::169::root::Received an external command: lock-screen...
Dummy-2::DEBUG::2013-11-06 14:45:47,557::GuestAgentLinux2::157::root::Executing lock session command: '['/usr/share/ovirt-guest-agent/ovirt-locksession']'
Dummy-2::DEBUG::2013-11-06 14:45:47,605::OVirtAgentLogic::158::root::AgentLogicBase::doListen() - in loop before vio.read
Dummy-2::INFO::2013-11-06 14:45:47,606::OVirtAgentLogic::169::root::Received an external command: lock-screen...
...snip...


Version-Release number of selected component (if applicable):
is21
redhat-guest-agent-common selinux-policy-targeted
package redhat-guest-agent-common is not installed
selinux-policy-targeted-3.7.19-231.el6.noarch
redhat-release-server-6Server-6.5.0.1.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1. add guest OS into IPA (ipa-client-install --mkhomedir)
2. add your from IPA on the VM in RHEVM UI
3. try SSO from User Portal

Actual results:
selinux preventing SSO

Expected results:
should work

Additional info:
* with Permissive mode it works
* try with brq-ipa.rhev.lab.eng.brq.redhat.com (ask for info if needed)
Comment 1 Jiri Belka 2013-11-06 15:40:31 UTC 
Same issue on RHEL6.4, thus removing 6.5 from title and putting IPA there :)
Comment 2 Jiri Belka 2013-11-06 16:07:50 UTC 
No issue when having RHEL (6.4, 6.5) connected to AD via winbind.
Comment 4 Miroslav Grepl 2013-11-13 12:39:23 UTC 
type=AVC msg=audit(1383745541.043:442): avc:  denied  { create } for  pid=13105 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=guest_u:guest_r:oddjob_mkhomedir_t:s0 tclass=key

What does

# id -Z

if you use permissive mode? Also is there anything in /var/log/secure?
Comment 5 Jiri Belka 2013-11-13 12:40:11 UTC 
Which user? root, ovirt-agent, destination user?
Comment 6 Miroslav Grepl 2013-11-13 12:42:43 UTC 
I guess a destination user which is supposed to have guest_u:guest_r:guest_t:s0
Comment 7 Jiri Belka 2013-11-13 15:31:06 UTC 
Changing product as this is not ovirt-guest-agent specific but GDM specific.

type=AVC msg=audit(1384356420.670:31136): avc:  denied  { create } for  pid=3126 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=guest_u:guest_r:oddjob_mkhomedir_t:s0 tclass=key
type=AVC msg=audit(1384356420.671:31137): avc:  denied  { entrypoint } for  pid=3136 comm="gdm-session-wor" path="/usr/bin/gnome-keyring-daemon" dev=dm-0 ino=283077 scontext=guest_u:guest_r:oddjob_mkhomedir_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1384356553.526:31146): avc:  denied  { create } for  pid=3140 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=guest_u:guest_r:oddjob_mkhomedir_t:s0 tclass=key
type=AVC msg=audit(1384356553.526:31147): avc:  denied  { entrypoint } for  pid=3148 comm="gdm-session-wor" path="/usr/bin/gnome-keyring-daemon" dev=dm-0 ino=283077 scontext=guest_u:guest_r:oddjob_mkhomedir_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
Comment 8 Jiri Belka 2013-11-13 15:59:23 UTC 
Created attachment 823511 [details]
audit.log

last try in the log is with permissive mode
Comment 9 Miroslav Grepl 2013-11-13 16:43:26 UTC 
And how about

# id -Z

and /var/log/secure?
Comment 10 Miroslav Grepl 2013-11-13 16:45:40 UTC 
The problem is we have

guest_u:guest_r:oddjob_mkhomedir_t

instead of

guest_u:guest_r:guest_t

How is mkhomedir configured?
Comment 11 Jiri Belka 2013-11-20 10:20:20 UTC 
IPA is configured like this:

-%-
ipa-client-install -d -p admin -w $PASSWORD --domain brq-ipa.rhev.lab.eng.brq.redhat.com --server brq-ipa.rhev.lab.eng.brq.redhat.com --realm BRQ-IPA.RHEV.LAB.ENG.BRQ.REDHAT.COM -N --mkhomedir -U --force
-%-

ipa-client-install configures various settings on the client (kerberos, sssd, ldap,...) but also runs runs this command:

-%-
/usr/sbin/authconfig --enablesssdauth --enablemkhomedir --update --enablesssd
-%-

I don't know what else I could add. Details behind the scene are out of my knowledge.

I can provide access to the machine.

While enforcing mode:

-%-
# grep denied /var/log/audit/audit.log                                                                                                       
type=AVC msg=audit(1384941310.466:27629): avc:  denied  { create } for  pid=2260 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=guest_u:guest_r:oddjob_mkhomedir_t:s0 tclass=key
type=AVC msg=audit(1384941310.468:27630): avc:  denied  { entrypoint } for  pid=32513 comm="gdm-session-wor" path="/usr/bin/gnome-keyring-daemon" dev=dm-0 ino=400601 scontext=guest_u:guest_r:oddjob_mkhomedir_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
-%-

-%-
su - vdcadmin
-sh-4.1$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-%-
Comment 12 Daniel Walsh 2013-11-20 13:30:47 UTC 
guest_u:guest_r:oddjob_mkhomedir_t is happening because you are trying to login via an X Login probably gdm to a guest_u user, which is not allowed.  The initial version of IP Accidently setup all users to login as guest_u, which is not allowed on graphical logins.  The fall back is oddjob_mkhomedir_t in older versions of SELInux.  Changin the default login of ipa to unconfined_u, will solve this problem.
Comment 13 Jiri Belka 2013-11-20 14:26:13 UTC 
@Daniel: thanks for your comment.

We will try to "repair" our IPA and if it will work then we'll close the BZ.
Comment 14 Jiri Belka 2013-11-20 14:57:45 UTC 
After updating IPA 'Default SELinux user' was changed to 'unconfined_u:s0-s0:c0.c1023' and it made it work.
Comment 15 Martin Kosek 2013-11-20 15:09:25 UTC 
Thanks for investigation. Just to close the loop, linking to the right bug where this issues was documented.

*** This bug has been marked as a duplicate of bug 887193 ***
Note You need to log in before you can comment on or make changes to this bug.