This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1303874 - AVC seen with su login for IPA user
AVC seen with su login for IPA user
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.2
Unspecified Unspecified
high Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Patrik Kis
:
Depends On:
Blocks: 1333270
  Show dependency treegraph
 
Reported: 2016-02-02 05:02 EST by Kaleem
Modified: 2016-05-31 06:06 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1333270 (view as bug list)
Environment:
Last Closed: 2016-05-31 06:06:51 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
beaker avc log file (5.49 KB, text/plain)
2016-02-02 05:02 EST, Kaleem
no flags Details

  None (edit)
Description Kaleem 2016-02-02 05:02:56 EST
Created attachment 1120367 [details]
beaker avc log file

Description of problem:
Following AVC seen when a IPA user tries su.( su - testuser1 -c 'touch /tmp/mytestfile.user1' )

snip from log:
==============
type=AVC msg=audit(1454404629.071:363): avc:  denied  { search } for  pid=686 comm="systemd-logind" name="yp" dev="dm-0" ino=134323567 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
type=AVC msg=audit(1454404629.072:364): avc:  denied  { name_connect } for  pid=686 comm="systemd-logind" dest=111 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket

Version-Release number of selected component (if applicable):
[root@dell-per300-01 ~]# rpm -q ipa-client sssd selinux-policy
ipa-client-4.2.0-15.el7_2.5.x86_64
sssd-1.13.0-40.el7_2.1.x86_64
selinux-policy-3.13.1-60.el7_2.2.noarch
[root@dell-per300-01 ~]# 

How reproducible:
Always

Steps to Reproduce:
1. Setup an IPA server and and a NIS Server

2. Migrate all data from NIS server to IPA server.

3. Configure a NIS client with yp* tools to fetch data from IPA Server. 

4. Add a user on IPA master and try to execute su with that user on NIS client. No AVC is seen. User Deleted. 

5. Enroll NIS client machine of step 3 to IPA server as ipa client.

6. Same user of step 4 added again on IPA master.

7. Try to execute the su with step 6 user

Actual results:
Following AVC seen (Please find the attached 

type=AVC msg=audit(1454404629.071:363): avc:  denied  { search } for  pid=686 comm="systemd-logind" name="yp" dev="dm-0" ino=134323567 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
type=AVC msg=audit(1454404629.072:364): avc:  denied  { name_connect } for  pid=686 comm="systemd-logind" dest=111 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket

Expected results:
NO AVC should be there.

Additional info:

(1) Please find the attached beaker avc log file for reference.
Comment 2 Lukas Vrabec 2016-04-27 04:38:41 EDT
Hi, 

Could you set SELinux boolean "nis_enabled" on affected machine? 

# semanage boolean -m --on nis_enabled
Comment 4 Lukas Vrabec 2016-05-31 06:06:51 EDT
Thank you.

Closing as NOTABUG.

Note You need to log in before you can comment on or make changes to this bug.