Hide Forgot
Description of problem: debug log has "Unable to change mtime of "/etc/krb5.conf" [13]: Permission denied" on sssd restart Version-Release number of selected component (if applicable): sssd-1.11.6-4.el6 selinux-policy-3.7.19-245.el6 How reproducible: Always Steps to Reproduce: 1. Make sure selinux is in enforcing mode 2. Join client to AD Server using "net join" 3. Configure sssd to use ad provider 4. Start/restart sssd Actual results: Domain log shows: (Thu Jul 24 04:41:36 2014) [sssd[be[sssdad2012.com]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [sssdad2012.com] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_sssdad2012_com] (Thu Jul 24 04:41:36 2014) [sssd[be[sssdad2012.com]]] [sss_krb5_touch_config] (0x0020): Unable to change mtime of "/etc/krb5.conf" [13]: Permission denied (Thu Jul 24 04:41:36 2014) [sssd[be[sssdad2012.com]]] [sss_write_domain_mappings] (0x0020): Unable to change last modification time of krb5.conf. Created mappings may not be loaded. Expected results: Additional info: Setting selinux to permissive doesn't show this message on sssd restart. But I don't any AVCs being generated.
Can you run "semodule -DB" to tweak your system's policy to disable "dontaudit" rules, and see if denials start getting logged?
Thanks Nalin, I now see the following avc: type=AVC msg=audit(1406208380.958:67773): avc: denied { write } for pid=14763 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=6329 scontext=unconfined_u:system_r:sssd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file
Cool, I didn't know about semodul -DB. Per comment #3, moving to selinux-policy. We need the sssd_be process to be able to touch the krb5.conf, similar to what we allow on el7.
Yes we dontaudit this rule #============= sssd_t ============== #!!!! This avc has a dontaudit rule in the current policy allow sssd_t krb5_conf_t:file write;
Also we don't allow it in RHEl7/Fedora. $ sesearch -A -s sssd_t -t krb5_conf_t Found 2 semantic av rules: allow nsswitch_domain krb5_conf_t : file { ioctl read getattr lock open } ; allow nsswitch_domain krb5_conf_t : dir { getattr search open } ;
(In reply to Miroslav Grepl from comment #6) > Also we don't allow it in RHEl7/Fedora. > > > $ sesearch -A -s sssd_t -t krb5_conf_t > Found 2 semantic av rules: > allow nsswitch_domain krb5_conf_t : file { ioctl read getattr lock open } > ; > allow nsswitch_domain krb5_conf_t : dir { getattr search open } ; Yes, we should also allow sssd to "touch" krb5.conf in RHEL-7 and Fedora.
Any update? Can we get it fixed in RHEL6.6?
commit b71fe9935e0d39152304dbf4104e302ccec46e82 Author: Miroslav Grepl <mgrepl@redhat.com> Date: Thu Aug 28 15:04:22 2014 +0200 sssd needs to be able write krb5.conf
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1568.html