Bug 1122866 - debug log has "Unable to change mtime of "/etc/krb5.conf" [13]: Permission denied" on sssd startup
Summary: debug log has "Unable to change mtime of "/etc/krb5.conf" [13]: Permission de...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.6
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-24 09:07 UTC by Kaushik Banerjee
Modified: 2014-10-14 08:03 UTC (History)
15 users (show)

Fixed In Version: selinux-policy-3.7.19-253.el6
Doc Type: Bug Fix
Doc Text:
Cause: Starting/Restarting sssd. Consequence: sssd daemon cannot write to krb5 config file. Fix: Add selinux rule that sssd daemon can write to krb5 config file. Result: Now sssd daemon can write to krb5 config file.
Clone Of:
Environment:
Last Closed: 2014-10-14 08:03:44 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1568 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2014-10-14 01:27:37 UTC

Description Kaushik Banerjee 2014-07-24 09:07:56 UTC
Description of problem:
debug log has "Unable to change mtime of "/etc/krb5.conf" [13]: Permission denied" on sssd restart

Version-Release number of selected component (if applicable):
sssd-1.11.6-4.el6
selinux-policy-3.7.19-245.el6

How reproducible:
Always

Steps to Reproduce:
1. Make sure selinux is in enforcing mode
2. Join client to AD Server using "net join"
3. Configure sssd to use ad provider
4. Start/restart sssd

Actual results:

Domain log shows:

(Thu Jul 24 04:41:36 2014) [sssd[be[sssdad2012.com]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [sssdad2012.com] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_sssdad2012_com]
(Thu Jul 24 04:41:36 2014) [sssd[be[sssdad2012.com]]] [sss_krb5_touch_config] (0x0020): Unable to change mtime of "/etc/krb5.conf" [13]: Permission denied
(Thu Jul 24 04:41:36 2014) [sssd[be[sssdad2012.com]]] [sss_write_domain_mappings] (0x0020): Unable to change last modification time of krb5.conf. Created mappings may not be loaded.


Expected results:


Additional info:
Setting selinux to permissive doesn't show this message on sssd restart. But I don't any AVCs being generated.

Comment 2 Nalin Dahyabhai 2014-07-24 12:47:17 UTC
Can you run "semodule -DB" to tweak your system's policy to disable "dontaudit" rules, and see if denials start getting logged?

Comment 3 Kaushik Banerjee 2014-07-24 13:29:41 UTC
Thanks Nalin,

I now see the following avc:
type=AVC msg=audit(1406208380.958:67773): avc:  denied  { write } for  pid=14763 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=6329 scontext=unconfined_u:system_r:sssd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file

Comment 4 Jakub Hrozek 2014-07-24 13:37:38 UTC
Cool, I didn't know about semodul -DB.

Per comment #3, moving to selinux-policy. We need the sssd_be process to be able to touch the krb5.conf, similar to what we allow on el7.

Comment 5 Miroslav Grepl 2014-07-25 10:02:43 UTC
Yes we dontaudit this rule

#============= sssd_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow sssd_t krb5_conf_t:file write;

Comment 6 Miroslav Grepl 2014-07-25 10:04:04 UTC
Also we don't allow it in RHEl7/Fedora.


$ sesearch -A -s sssd_t -t krb5_conf_t
Found 2 semantic av rules:
   allow nsswitch_domain krb5_conf_t : file { ioctl read getattr lock open } ; 
   allow nsswitch_domain krb5_conf_t : dir { getattr search open } ;

Comment 7 Jakub Hrozek 2014-07-31 12:55:08 UTC
(In reply to Miroslav Grepl from comment #6)
> Also we don't allow it in RHEl7/Fedora.
> 
> 
> $ sesearch -A -s sssd_t -t krb5_conf_t
> Found 2 semantic av rules:
>    allow nsswitch_domain krb5_conf_t : file { ioctl read getattr lock open }
> ; 
>    allow nsswitch_domain krb5_conf_t : dir { getattr search open } ;

Yes, we should also allow sssd to "touch" krb5.conf in RHEL-7 and Fedora.

Comment 8 Kaushik Banerjee 2014-08-28 09:39:11 UTC
Any update? Can we get it fixed in RHEL6.6?

Comment 9 Miroslav Grepl 2014-09-01 11:11:01 UTC
commit b71fe9935e0d39152304dbf4104e302ccec46e82
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Aug 28 15:04:22 2014 +0200

    sssd needs to be able write krb5.conf

Comment 12 errata-xmlrpc 2014-10-14 08:03:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html


Note You need to log in before you can comment on or make changes to this bug.