Bug 1027302 - [gdm] login of IPA user via GDM does not work because of SELinux denial
[gdm] login of IPA user via GDM does not work because of SELinux denial
Status: CLOSED DUPLICATE of bug 887193
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.4
Unspecified Unspecified
high Severity urgent
: rc
: ---
Assigned To: Martin Kosek
Namita Soman
virt
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-06 09:01 EST by Jiri Belka
Modified: 2013-11-20 10:09 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-20 09:57:45 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit.log (21.65 KB, application/x-gzip)
2013-11-13 10:59 EST, Jiri Belka
no flags Details

  None (edit)
Description Jiri Belka 2013-11-06 09:01:37 EST
Description of problem:
SSO on RHEL6.5 not working because of SELinux

# grep denied /var/log/audit/audit.log 
type=AVC msg=audit(1383745541.043:442): avc:  denied  { create } for  pid=13105 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=guest_u:guest_r:oddjob_mkhomedir_t:s0 tclass=key
type=AVC msg=audit(1383745544.164:446): avc:  denied  { read } for  pid=1890 comm="ovirt-guest-age" name="online" dev=sysfs ino=23 scontext=system_u:system_r:rhev_agentd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1383745544.164:446): avc:  denied  { open } for  pid=1890 comm="ovirt-guest-age" name="online" dev=sysfs ino=23 scontext=system_u:system_r:rhev_agentd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file

# sealert -a /var/log/audit/audit.log 
100% donefound 2 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/libexec/gdm-session-worker from create access on the key .

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that gdm-session-worker should be allowed create access on the  key by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gdm-session-wor /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


--------------------------------------------------------------------------------

SELinux is preventing /usr/bin/python from read access on the file online.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that python should be allowed read access on the online file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ovirt-guest-age /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

...snip...
Dummy-2::INFO::2013-11-06 14:45:39,075::OVirtAgentLogic::169::root::Received an external command: login...
Dummy-2::DEBUG::2013-11-06 14:45:39,075::OVirtAgentLogic::201::root::User log-in (credentials = '\x00\x00\x00,vdcadmin@brq-ipa.rhev.lab.eng.brq.redhat.com*****
***\x00')
Dummy-2::INFO::2013-11-06 14:45:39,076::CredServer::207::root::The following users are allowed to connect: [0]
Dummy-2::DEBUG::2013-11-06 14:45:39,076::CredServer::272::root::Token: 776124
Dummy-2::INFO::2013-11-06 14:45:39,076::CredServer::273::root::Opening credentials channel...
Dummy-2::INFO::2013-11-06 14:45:39,078::CredServer::132::root::Emitting user authenticated signal (776124).
CredChannel::DEBUG::2013-11-06 14:45:39,198::CredServer::166::root::Receiving user's credential ret = 2 errno = 0
CredChannel::DEBUG::2013-11-06 14:45:39,198::CredServer::177::root::cmsgp: len=28 level=1 type=2
CredChannel::INFO::2013-11-06 14:45:39,198::CredServer::225::root::Incomming connection from user: 0 process: 13105
CredChannel::INFO::2013-11-06 14:45:39,198::CredServer::232::root::Sending user's credential (token: 776124)
Dummy-2::INFO::2013-11-06 14:45:39,199::CredServer::277::root::Credentials channel was closed.
Dummy-2::DEBUG::2013-11-06 14:45:39,199::OVirtAgentLogic::158::root::AgentLogicBase::doListen() - in loop before vio.read
Dummy-1::DEBUG::2013-11-06 14:45:44,165::OVirtAgentLogic::225::root::AgentLogicBase::sendUserInfo - cur_user = 'root'
Dummy-1::DEBUG::2013-11-06 14:45:44,213::GuestAgentLinux2::81::root::PkgMgr: list_pkgs returns [['kernel-2.6.32-430.el6', 'kernel-2.6.32-428.el6', 'rhevm-guest
-agent-common-1.0.8-4.el6ev', 'xorg-x11-drv-qxl-0.1.0-7.el6']]
Dummy-2::INFO::2013-11-06 14:45:47,556::OVirtAgentLogic::169::root::Received an external command: lock-screen...
Dummy-2::DEBUG::2013-11-06 14:45:47,557::GuestAgentLinux2::157::root::Executing lock session command: '['/usr/share/ovirt-guest-agent/ovirt-locksession']'
Dummy-2::DEBUG::2013-11-06 14:45:47,605::OVirtAgentLogic::158::root::AgentLogicBase::doListen() - in loop before vio.read
Dummy-2::INFO::2013-11-06 14:45:47,606::OVirtAgentLogic::169::root::Received an external command: lock-screen...
...snip...


Version-Release number of selected component (if applicable):
is21
redhat-guest-agent-common selinux-policy-targeted
package redhat-guest-agent-common is not installed
selinux-policy-targeted-3.7.19-231.el6.noarch
redhat-release-server-6Server-6.5.0.1.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1. add guest OS into IPA (ipa-client-install --mkhomedir)
2. add your from IPA on the VM in RHEVM UI
3. try SSO from User Portal

Actual results:
selinux preventing SSO

Expected results:
should work

Additional info:
* with Permissive mode it works
* try with brq-ipa.rhev.lab.eng.brq.redhat.com (ask for info if needed)
Comment 1 Jiri Belka 2013-11-06 10:40:31 EST
Same issue on RHEL6.4, thus removing 6.5 from title and putting IPA there :)
Comment 2 Jiri Belka 2013-11-06 11:07:50 EST
No issue when having RHEL (6.4, 6.5) connected to AD via winbind.
Comment 4 Miroslav Grepl 2013-11-13 07:39:23 EST
type=AVC msg=audit(1383745541.043:442): avc:  denied  { create } for  pid=13105 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=guest_u:guest_r:oddjob_mkhomedir_t:s0 tclass=key

What does

# id -Z

if you use permissive mode? Also is there anything in /var/log/secure?
Comment 5 Jiri Belka 2013-11-13 07:40:11 EST
Which user? root, ovirt-agent, destination user?
Comment 6 Miroslav Grepl 2013-11-13 07:42:43 EST
I guess a destination user which is supposed to have guest_u:guest_r:guest_t:s0
Comment 7 Jiri Belka 2013-11-13 10:31:06 EST
Changing product as this is not ovirt-guest-agent specific but GDM specific.

type=AVC msg=audit(1384356420.670:31136): avc:  denied  { create } for  pid=3126 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=guest_u:guest_r:oddjob_mkhomedir_t:s0 tclass=key
type=AVC msg=audit(1384356420.671:31137): avc:  denied  { entrypoint } for  pid=3136 comm="gdm-session-wor" path="/usr/bin/gnome-keyring-daemon" dev=dm-0 ino=283077 scontext=guest_u:guest_r:oddjob_mkhomedir_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1384356553.526:31146): avc:  denied  { create } for  pid=3140 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=guest_u:guest_r:oddjob_mkhomedir_t:s0 tclass=key
type=AVC msg=audit(1384356553.526:31147): avc:  denied  { entrypoint } for  pid=3148 comm="gdm-session-wor" path="/usr/bin/gnome-keyring-daemon" dev=dm-0 ino=283077 scontext=guest_u:guest_r:oddjob_mkhomedir_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
Comment 8 Jiri Belka 2013-11-13 10:59:23 EST
Created attachment 823511 [details]
audit.log

last try in the log is with permissive mode
Comment 9 Miroslav Grepl 2013-11-13 11:43:26 EST
And how about

# id -Z

and /var/log/secure?
Comment 10 Miroslav Grepl 2013-11-13 11:45:40 EST
The problem is we have

guest_u:guest_r:oddjob_mkhomedir_t

instead of

guest_u:guest_r:guest_t

How is mkhomedir configured?
Comment 11 Jiri Belka 2013-11-20 05:20:20 EST
IPA is configured like this:

-%-
ipa-client-install -d -p admin -w $PASSWORD --domain brq-ipa.rhev.lab.eng.brq.redhat.com --server brq-ipa.rhev.lab.eng.brq.redhat.com --realm BRQ-IPA.RHEV.LAB.ENG.BRQ.REDHAT.COM -N --mkhomedir -U --force
-%-

ipa-client-install configures various settings on the client (kerberos, sssd, ldap,...) but also runs runs this command:

-%-
/usr/sbin/authconfig --enablesssdauth --enablemkhomedir --update --enablesssd
-%-

I don't know what else I could add. Details behind the scene are out of my knowledge.

I can provide access to the machine.

While enforcing mode:

-%-
# grep denied /var/log/audit/audit.log                                                                                                       
type=AVC msg=audit(1384941310.466:27629): avc:  denied  { create } for  pid=2260 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=guest_u:guest_r:oddjob_mkhomedir_t:s0 tclass=key
type=AVC msg=audit(1384941310.468:27630): avc:  denied  { entrypoint } for  pid=32513 comm="gdm-session-wor" path="/usr/bin/gnome-keyring-daemon" dev=dm-0 ino=400601 scontext=guest_u:guest_r:oddjob_mkhomedir_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
-%-

-%-
su - vdcadmin
-sh-4.1$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-%-
Comment 12 Daniel Walsh 2013-11-20 08:30:47 EST
guest_u:guest_r:oddjob_mkhomedir_t is happening because you are trying to login via an X Login probably gdm to a guest_u user, which is not allowed.  The initial version of IP Accidently setup all users to login as guest_u, which is not allowed on graphical logins.  The fall back is oddjob_mkhomedir_t in older versions of SELInux.  Changin the default login of ipa to unconfined_u, will solve this problem.
Comment 13 Jiri Belka 2013-11-20 09:26:13 EST
@Daniel: thanks for your comment.

We will try to "repair" our IPA and if it will work then we'll close the BZ.
Comment 14 Jiri Belka 2013-11-20 09:57:45 EST
After updating IPA 'Default SELinux user' was changed to 'unconfined_u:s0-s0:c0.c1023' and it made it work.
Comment 15 Martin Kosek 2013-11-20 10:09:25 EST
Thanks for investigation. Just to close the loop, linking to the right bug where this issues was documented.

*** This bug has been marked as a duplicate of bug 887193 ***

Note You need to log in before you can comment on or make changes to this bug.