Bug 1045399 - avc denial for sssd_be
Summary: avc denial for sssd_be
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: sssd
Version: 5.10
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-12-20 10:51 UTC by Kaleem
Modified: 2014-01-13 06:22 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-01-13 06:22:19 UTC
Target Upstream Version:


Attachments (Terms of Use)
configuration files (10.00 KB, application/x-tar)
2013-12-20 10:51 UTC, Kaleem
no flags Details

Description Kaleem 2013-12-20 10:51:30 UTC
Created attachment 839519 [details]
configuration files

Description of problem:
Following avc denial message seen 

Version-Release number of selected component (if applicable):
[root@rhel510-client ~]# rpm -q sssd
sssd-1.5.1-70.el5
[root@rhel510-client ~]#

How reproducible:
Always

Steps to Reproduce:
1.Install a IPA Master (RHEL-6.5) 
2.Install a IPA Replica (RHEL-6.5) from Master created in step 1
3.Run ipa-client-install on RHEL-5.10 client machine pointing IPA Master.
4.Now modify /etc/sssd/sssd.conf and /etc/krb.conf to point to IPA Replica.
5.Clear sssd cache and restart sssd on RHEL-5.10 client
     rm -rf /var/lib/sss/db/*; service sssd restart

Actual results:
Following avc denial seen.

type=AVC msg=audit(1387535715.734:360): avc:  denied  { write } for  pid=14074 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=389968 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1387535715.734:360): arch=c000003e syscall=21 success=no exit=-13 a0=12fc4ad0 a1=2 a2=3f92007ba0 a3=65726373662f7274 items=0 ppid=14073 pid=14074 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=28 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=root:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1387535716.004:361): avc:  denied  { write } for  pid=14099 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=389968 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1387535716.004:361): arch=c000003e syscall=21 success=no exit=-13 a0=72d8ca0 a1=2 a2=3f92007ba0 a3=65726373662f7274 items=0 ppid=14098 pid=14099 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=28 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=root:system_r:sssd_t:s0 key=(null)

Expected results:
No avc denial should be there.

Additional info:
1. sssd.conf and krb5.conf has been attached for reference.

Comment 1 Jakub Hrozek 2014-01-08 13:21:05 UTC
The context of krb5.conf seems incorrect, on my RHEL5 machine it's "system_u:object_r:krb5_conf_t".

Can you check if the default system context is the same on your system? Run:
# matchpathcon /etc/krb5.conf

Then, can you try resetting the context with:
restorecon -vv /etc/krb5.conf

Comment 2 Kaleem 2014-01-13 06:22:19 UTC
Yes it seems that context of /etc/krb5.conf was changed and now when i restored it back, i do not see the avc.

So closing this a not a bug.


Note You need to log in before you can comment on or make changes to this bug.