Bug 1263339 - SELinux prevents CIM provider from reading /var/lib/sss/mc/initgroups file
SELinux prevents CIM provider from reading /var/lib/sss/mc/initgroups file
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.2
All Linux
medium Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-15 11:03 EDT by Patrik Kis
Modified: 2016-11-03 22:22 EDT (History)
7 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-68.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-03 22:22:26 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Patrik Kis 2015-09-15 11:03:27 EDT
Description of problem:
The following AVC denaul appeared on test systems:

time->Sat Aug 22 23:09:09 2015
type=SYSCALL msg=audit(1440299349.536:3441): arch=80000015 syscall=5 success=no exit=-13 a0=1001021a470 a1=80000 a2=3fffc7660ecc a3=0 items=0 ppid=9382 pid=9383 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1440299349.536:3441): avc:  denied  { read } for  pid=9383 comm="cimprovagt" name="initgroups" dev="dm-0" ino=68663640 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-47.el7
sssd-1.13.0-26.el7
tog-pegasus-2.14.1-2.el7
openlmi-python-base-0.5.0-3.el7

How reproducible:
always

Steps to Reproduce:
1. Join to IPA/AD via realmd and openlmi
Comment 2 Milos Malik 2015-09-16 04:04:17 EDT
Could you collect SELinux denials triggered by these TCs in permissive mode and attach them here?
Comment 3 Patrik Kis 2015-09-16 08:26:09 EDT
(In reply to Milos Malik from comment #2)
> Could you collect SELinux denials triggered by these TCs in permissive mode
> and attach them here?

----
type=SYSCALL msg=audit(09/16/2015 12:24:39.107:399) : arch=x86_64 syscall=open success=yes exit=3 a0=0x7f5a00e364a0 a1=O_RDONLY|O_CLOEXEC a2=0x7ffce04e10c4 a3=0x7ffce04e0e00 items=0 ppid=7883 pid=7884 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null) 
type=AVC msg=audit(09/16/2015 12:24:39.107:399) : avc:  denied  { open } for  pid=7884 comm=cimprovagt path=/var/lib/sss/mc/initgroups dev="dm-0" ino=67300584 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file 
type=AVC msg=audit(09/16/2015 12:24:39.107:399) : avc:  denied  { read } for  pid=7884 comm=cimprovagt name=initgroups dev="dm-0" ino=67300584 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file 
----
type=SYSCALL msg=audit(09/16/2015 12:24:39.107:400) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x3 a1=0x7ffce04e10d0 a2=0x7ffce04e10d0 a3=0x7ffce04e0e30 items=0 ppid=7883 pid=7884 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cimprovagt exe=/usr/libexec/pegasus/cimprovagt subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null) 
type=AVC msg=audit(09/16/2015 12:24:39.107:400) : avc:  denied  { getattr } for  pid=7884 comm=cimprovagt path=/var/lib/sss/mc/initgroups dev="dm-0" ino=67300584 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file
Comment 4 Mike McCune 2016-03-28 18:59:28 EDT
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions
Comment 8 errata-xmlrpc 2016-11-03 22:22:26 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.