1045399 – avc denial for sssd_be

Bug 1045399 - avc denial for sssd_be

Summary: avc denial for sssd_be

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	5.10
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-12-20 10:51 UTC by Kaleem
Modified:	2014-01-13 06:22 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-01-13 06:22:19 UTC
Target Upstream Version:
Dependent Products:

Attachments	(Terms of Use)
configuration files (10.00 KB, application/x-tar) 2013-12-20 10:51 UTC, Kaleem	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Kaleem 2013-12-20 10:51:30 UTC

Created attachment 839519 [details]
configuration files

Description of problem:
Following avc denial message seen 

Version-Release number of selected component (if applicable):
[root@rhel510-client ~]# rpm -q sssd
sssd-1.5.1-70.el5
[root@rhel510-client ~]#

How reproducible:
Always

Steps to Reproduce:
1.Install a IPA Master (RHEL-6.5) 
2.Install a IPA Replica (RHEL-6.5) from Master created in step 1
3.Run ipa-client-install on RHEL-5.10 client machine pointing IPA Master.
4.Now modify /etc/sssd/sssd.conf and /etc/krb.conf to point to IPA Replica.
5.Clear sssd cache and restart sssd on RHEL-5.10 client
     rm -rf /var/lib/sss/db/*; service sssd restart

Actual results:
Following avc denial seen.

type=AVC msg=audit(1387535715.734:360): avc:  denied  { write } for  pid=14074 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=389968 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1387535715.734:360): arch=c000003e syscall=21 success=no exit=-13 a0=12fc4ad0 a1=2 a2=3f92007ba0 a3=65726373662f7274 items=0 ppid=14073 pid=14074 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=28 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=root:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1387535716.004:361): avc:  denied  { write } for  pid=14099 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=389968 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1387535716.004:361): arch=c000003e syscall=21 success=no exit=-13 a0=72d8ca0 a1=2 a2=3f92007ba0 a3=65726373662f7274 items=0 ppid=14098 pid=14099 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=28 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=root:system_r:sssd_t:s0 key=(null)

Expected results:
No avc denial should be there.

Additional info:
1. sssd.conf and krb5.conf has been attached for reference.

Comment 1 Jakub Hrozek 2014-01-08 13:21:05 UTC

The context of krb5.conf seems incorrect, on my RHEL5 machine it's "system_u:object_r:krb5_conf_t".

Can you check if the default system context is the same on your system? Run:
# matchpathcon /etc/krb5.conf

Then, can you try resetting the context with:
restorecon -vv /etc/krb5.conf

Comment 2 Kaleem 2014-01-13 06:22:19 UTC

Yes it seems that context of /etc/krb5.conf was changed and now when i restored it back, i do not see the avc.

So closing this a not a bug.

Note You need to log in before you can comment on or make changes to this bug.