Hide Forgot
Description of problem: SSO on RHEL6.5 not working because of SELinux # grep denied /var/log/audit/audit.log type=AVC msg=audit(1383745541.043:442): avc: denied { create } for pid=13105 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=guest_u:guest_r:oddjob_mkhomedir_t:s0 tclass=key type=AVC msg=audit(1383745544.164:446): avc: denied { read } for pid=1890 comm="ovirt-guest-age" name="online" dev=sysfs ino=23 scontext=system_u:system_r:rhev_agentd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(1383745544.164:446): avc: denied { open } for pid=1890 comm="ovirt-guest-age" name="online" dev=sysfs ino=23 scontext=system_u:system_r:rhev_agentd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file # sealert -a /var/log/audit/audit.log 100% donefound 2 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/libexec/gdm-session-worker from create access on the key . ***** Plugin catchall (100. confidence) suggests *************************** If you believe that gdm-session-worker should be allowed create access on the key by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep gdm-session-wor /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp -------------------------------------------------------------------------------- SELinux is preventing /usr/bin/python from read access on the file online. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that python should be allowed read access on the online file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep ovirt-guest-age /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp ...snip... Dummy-2::INFO::2013-11-06 14:45:39,075::OVirtAgentLogic::169::root::Received an external command: login... Dummy-2::DEBUG::2013-11-06 14:45:39,075::OVirtAgentLogic::201::root::User log-in (credentials = '\x00\x00\x00,vdcadmin.lab.eng.brq.redhat.com***** ***\x00') Dummy-2::INFO::2013-11-06 14:45:39,076::CredServer::207::root::The following users are allowed to connect: [0] Dummy-2::DEBUG::2013-11-06 14:45:39,076::CredServer::272::root::Token: 776124 Dummy-2::INFO::2013-11-06 14:45:39,076::CredServer::273::root::Opening credentials channel... Dummy-2::INFO::2013-11-06 14:45:39,078::CredServer::132::root::Emitting user authenticated signal (776124). CredChannel::DEBUG::2013-11-06 14:45:39,198::CredServer::166::root::Receiving user's credential ret = 2 errno = 0 CredChannel::DEBUG::2013-11-06 14:45:39,198::CredServer::177::root::cmsgp: len=28 level=1 type=2 CredChannel::INFO::2013-11-06 14:45:39,198::CredServer::225::root::Incomming connection from user: 0 process: 13105 CredChannel::INFO::2013-11-06 14:45:39,198::CredServer::232::root::Sending user's credential (token: 776124) Dummy-2::INFO::2013-11-06 14:45:39,199::CredServer::277::root::Credentials channel was closed. Dummy-2::DEBUG::2013-11-06 14:45:39,199::OVirtAgentLogic::158::root::AgentLogicBase::doListen() - in loop before vio.read Dummy-1::DEBUG::2013-11-06 14:45:44,165::OVirtAgentLogic::225::root::AgentLogicBase::sendUserInfo - cur_user = 'root' Dummy-1::DEBUG::2013-11-06 14:45:44,213::GuestAgentLinux2::81::root::PkgMgr: list_pkgs returns [['kernel-2.6.32-430.el6', 'kernel-2.6.32-428.el6', 'rhevm-guest -agent-common-1.0.8-4.el6ev', 'xorg-x11-drv-qxl-0.1.0-7.el6']] Dummy-2::INFO::2013-11-06 14:45:47,556::OVirtAgentLogic::169::root::Received an external command: lock-screen... Dummy-2::DEBUG::2013-11-06 14:45:47,557::GuestAgentLinux2::157::root::Executing lock session command: '['/usr/share/ovirt-guest-agent/ovirt-locksession']' Dummy-2::DEBUG::2013-11-06 14:45:47,605::OVirtAgentLogic::158::root::AgentLogicBase::doListen() - in loop before vio.read Dummy-2::INFO::2013-11-06 14:45:47,606::OVirtAgentLogic::169::root::Received an external command: lock-screen... ...snip... Version-Release number of selected component (if applicable): is21 redhat-guest-agent-common selinux-policy-targeted package redhat-guest-agent-common is not installed selinux-policy-targeted-3.7.19-231.el6.noarch redhat-release-server-6Server-6.5.0.1.el6.x86_64 How reproducible: 100% Steps to Reproduce: 1. add guest OS into IPA (ipa-client-install --mkhomedir) 2. add your from IPA on the VM in RHEVM UI 3. try SSO from User Portal Actual results: selinux preventing SSO Expected results: should work Additional info: * with Permissive mode it works * try with brq-ipa.rhev.lab.eng.brq.redhat.com (ask for info if needed)
Same issue on RHEL6.4, thus removing 6.5 from title and putting IPA there :)
No issue when having RHEL (6.4, 6.5) connected to AD via winbind.
type=AVC msg=audit(1383745541.043:442): avc: denied { create } for pid=13105 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=guest_u:guest_r:oddjob_mkhomedir_t:s0 tclass=key What does # id -Z if you use permissive mode? Also is there anything in /var/log/secure?
Which user? root, ovirt-agent, destination user?
I guess a destination user which is supposed to have guest_u:guest_r:guest_t:s0
Changing product as this is not ovirt-guest-agent specific but GDM specific. type=AVC msg=audit(1384356420.670:31136): avc: denied { create } for pid=3126 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=guest_u:guest_r:oddjob_mkhomedir_t:s0 tclass=key type=AVC msg=audit(1384356420.671:31137): avc: denied { entrypoint } for pid=3136 comm="gdm-session-wor" path="/usr/bin/gnome-keyring-daemon" dev=dm-0 ino=283077 scontext=guest_u:guest_r:oddjob_mkhomedir_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1384356553.526:31146): avc: denied { create } for pid=3140 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=guest_u:guest_r:oddjob_mkhomedir_t:s0 tclass=key type=AVC msg=audit(1384356553.526:31147): avc: denied { entrypoint } for pid=3148 comm="gdm-session-wor" path="/usr/bin/gnome-keyring-daemon" dev=dm-0 ino=283077 scontext=guest_u:guest_r:oddjob_mkhomedir_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
Created attachment 823511 [details] audit.log last try in the log is with permissive mode
And how about # id -Z and /var/log/secure?
The problem is we have guest_u:guest_r:oddjob_mkhomedir_t instead of guest_u:guest_r:guest_t How is mkhomedir configured?
IPA is configured like this: -%- ipa-client-install -d -p admin -w $PASSWORD --domain brq-ipa.rhev.lab.eng.brq.redhat.com --server brq-ipa.rhev.lab.eng.brq.redhat.com --realm BRQ-IPA.RHEV.LAB.ENG.BRQ.REDHAT.COM -N --mkhomedir -U --force -%- ipa-client-install configures various settings on the client (kerberos, sssd, ldap,...) but also runs runs this command: -%- /usr/sbin/authconfig --enablesssdauth --enablemkhomedir --update --enablesssd -%- I don't know what else I could add. Details behind the scene are out of my knowledge. I can provide access to the machine. While enforcing mode: -%- # grep denied /var/log/audit/audit.log type=AVC msg=audit(1384941310.466:27629): avc: denied { create } for pid=2260 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=guest_u:guest_r:oddjob_mkhomedir_t:s0 tclass=key type=AVC msg=audit(1384941310.468:27630): avc: denied { entrypoint } for pid=32513 comm="gdm-session-wor" path="/usr/bin/gnome-keyring-daemon" dev=dm-0 ino=400601 scontext=guest_u:guest_r:oddjob_mkhomedir_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file -%- -%- su - vdcadmin -sh-4.1$ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -%-
guest_u:guest_r:oddjob_mkhomedir_t is happening because you are trying to login via an X Login probably gdm to a guest_u user, which is not allowed. The initial version of IP Accidently setup all users to login as guest_u, which is not allowed on graphical logins. The fall back is oddjob_mkhomedir_t in older versions of SELInux. Changin the default login of ipa to unconfined_u, will solve this problem.
@Daniel: thanks for your comment. We will try to "repair" our IPA and if it will work then we'll close the BZ.
After updating IPA 'Default SELinux user' was changed to 'unconfined_u:s0-s0:c0.c1023' and it made it work.
Thanks for investigation. Just to close the loop, linking to the right bug where this issues was documented. *** This bug has been marked as a duplicate of bug 887193 ***