RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1263251 - Could not open file [/var/log/sssd/selinux_child.log]. Error: [13][Permission denied]
Summary: Could not open file [/var/log/sssd/selinux_child.log]. Error: [13][Permission...
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Petr Čech
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-09-15 12:23 UTC by Sudhir Menon
Modified: 2020-05-02 18:10 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-10-29 09:30:49 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3838 0 None closed Could not open file [/var/log/sssd/selinux_child.log]. Error: [13][Permission denied] 2020-10-01 07:52:19 UTC

Description Sudhir Menon 2015-09-15 12:23:14 UTC 
Description of problem: Could not open file [/var/log/sssd/selinux_child.log]. Error: [13][Permission denied]


Version-Release number of selected component (if applicable): 7.2


How reproducible: Always


Steps to Reproduce:
1. Ensure IPA server is installed on RHEL7.2
2. Ensure trust is established with Win2K8 R2.
3. systemctl stop sssd.service
4. In the [sssd] section in /etc/sssd/sssd.conf file add the below
[sssd]
user = sssd
5. systemctl start sssd.service
6. Now try logging as the ADuser from the AD Windows Box.

Actual results:

1. since sssd service is now running as user 'sssd' the ownership of all the below log files have been changed to sssd.sssd which is correct behaviour

[root@ipa01 sssd]# ls -l | grep sssd_nss
-rw-------. 1 sssd sssd  9814824 Sep 15 17:21 sssd_nss.log
[root@ipa01 sssd]# ls -l | grep sssd_pam
-rw-------. 1 sssd sssd  4137528 Sep 15 17:21 sssd_pam.log
[root@ipa01 sssd]# ls -l | grep sssd_ssh
-rw-------. 1 sssd sssd  4204027 Sep 15 17:21 sssd_ssh.log
[root@ipa01 sssd]# ls -l | grep sssd_pac
-rw-------. 1 sssd sssd  4090200 Sep 15 17:21 sssd_pac.log
[root@ipa01 sssd]# ls -l | grep sssd_sudo
-rw-------. 1 sssd sssd  4615010 Sep 15 17:21 sssd_sudo.log

2. The ownership of keytab file in /var/lib/sss/keytabs directory also changes to sssd.sssd which is correct behaviour

drwx------. 2 sssd sssd   50 Sep 15 17:45 keytabs
[root@ipa01 keytabs]# ls -l
total 8
-rw-------. 1 sssd sssd 177 Sep 15 17:45 test.in.keytab


3. The ownership of the below files remains root.root and doesn't change to sssd:sssd

-rw-------. 1 root root    57108 Sep 15 17:20 krb5_child.log
-rw-------. 1 root root    36022 Sep 15 17:16 ldap_child.log
-rw-------. 1 root root        0 Aug 24 14:59 selinux_child.log

4.The AD user gets logged in successfully, but there is a message displayed on the IPA-server console.

[smenon@ipa01 log]$  Message from syslogd@ipa01 at Sep 15 17:47:41 ...
 sssd[be[labs01.test]]:Could not open file [/var/log/sssd/selinux_child.log]. Error: [13][Permission denied]

Expected results: The ownership of the log files should be changed to sssd:sssd when sssd service is running as 'sssd' and root:root vice versa.

Additional info:
Comment 2 Petr Vobornik 2015-09-15 14:14:02 UTC 
Doesn't look like something IPA controls, changing component.
Comment 3 Jakub Hrozek 2015-09-21 09:17:53 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2797
Note You need to log in before you can comment on or make changes to this bug.