Bug 1301686 - SELinux Preventing SSSD Active Directory authentication with krb5_child [NEEDINFO]
SELinux Preventing SSSD Active Directory authentication with krb5_child
Status: CLOSED INSUFFICIENT_DATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.2
Unspecified Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: SSSD Maintainers
Steeve Goveas
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-25 12:11 EST by Tim Roberts
Modified: 2016-02-16 10:06 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-16 10:06:13 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
lslebodn: needinfo? (timothy_roberts)


Attachments (Terms of Use)

  None (edit)
Description Tim Roberts 2016-01-25 12:11:47 EST
Description of problem: When using SSSD for Active Directory authentication and SELinux in enforcing mode, SELinux prevents /usr/libexec/sssd/krb5_child from write/read access and disallows Active Directory authentication/logins.

Generating a local policy does work but I feel this shouldn't be necessary when using SSSD & Kerberos.


Version-Release number of selected component (if applicable): sssd-1.13.0-40.el7_2.1.x86_64


How reproducible: Use sssd & realmd to successfully join to and AD domain. Then reboot system and find the above errors taking place.


Additional info:

SELinux is preventing /usr/libexec/sssd/krb5_child from write access on the key Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that krb5_child should be allowed write access on the Unknown key by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:sssd_t:s0
Target Context                system_u:system_r:kernel_t:s0
Target Objects                Unknown [ key ]
Source                        krb5_child
Source Path                   /usr/libexec/sssd/krb5_child
Port                          <Unknown>
Host                          <our internal hostname>
Source RPM Packages           sssd-krb5-common-1.13.0-40.el7_2.1.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-60.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     <our internal hostname>
Platform                      Linux <our internal hostname>
                              3.10.0-327.4.4.el7.x86_64 #1 SMP Thu Dec 17
                              15:51:24 EST 2015 x86_64 x86_64
Alert Count                   9
First Seen                    2016-01-21 16:57:23 EST
Last Seen                     2016-01-21 17:00:09 EST
Local ID                      2b7ad414-3e01-4953-9294-3b87c8a9c60c

Raw Audit Messages
type=AVC msg=audit(1453413609.693:568): avc:  denied  { write } for  pid=3469 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key


type=SYSCALL msg=audit(1453413609.693:568): arch=x86_64 syscall=add_key success=no exit=EACCES a0=7fd43f7d4fdc a1=7ffd3d9dc610 a2=0 a3=0 items=0 ppid=745 pid=3469 auid=4294967295 uid=1548281918 gid=1548200513 euid=1548281918 suid=1548281918 fsuid=1548281918 egid=1548200513 sgid=1548200513 fsgid=1548200513 tty=(none) ses=4294967295 comm=krb5_child exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 key=(null)

Hash: krb5_child,sssd_t,kernel_t,key,write
Comment 2 Lukas Slebodnik 2016-01-25 13:07:46 EST
(In reply to Tim Roberts from comment #0)
> type=SYSCALL msg=audit(1453413609.693:568): arch=x86_64 syscall=add_key
> success=no exit=EACCES a0=7fd43f7d4fdc a1=7ffd3d9dc610 a2=0 a3=0 items=0
> ppid=745 pid=3469 auid=4294967295 uid=1548281918 gid=1548200513
> euid=1548281918 suid=1548281918 fsuid=1548281918 egid=1548200513
> sgid=1548200513 fsgid=1548200513 tty=(none) ses=4294967295 comm=krb5_child
> exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 key=(null)
> 
It seems to be related to kernel keyring (syscall=add_key)

I would like to see a log file from sssd.
Could you :
* put "debug_level = 9" into domain section of sssd.conf
* restart sssd
* reproduce issue
* attach file https://fedorahosted.org/sssd/wiki/Troubleshooting
Comment 3 Jakub Hrozek 2016-02-03 12:32:42 EST
ping; any luck getting those logs?
Comment 4 Jakub Hrozek 2016-02-16 10:06:13 EST
This bug was needinfo'd for a month. I'm going to close it with insufficient data, please reopen if the problem still persists and you can provide the information requested in comment #2.

Note You need to log in before you can comment on or make changes to this bug.