1303874 – AVC seen with su login for IPA user

Bug 1303874 - AVC seen with su login for IPA user

Summary: AVC seen with su login for IPA user

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Patrik Kis
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1333270
TreeView+	depends on / blocked

Reported:	2016-02-02 10:02 UTC by Kaleem
Modified:	2016-05-31 10:06 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1333270 (view as bug list)
Environment:
Last Closed:	2016-05-31 10:06:51 UTC
Target Upstream Version:

Attachments	(Terms of Use)
beaker avc log file (5.49 KB, text/plain) 2016-02-02 10:02 UTC, Kaleem	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Kaleem 2016-02-02 10:02:56 UTC

Created attachment 1120367 [details]
beaker avc log file

Description of problem:
Following AVC seen when a IPA user tries su.( su - testuser1 -c 'touch /tmp/mytestfile.user1' )

snip from log:
==============
type=AVC msg=audit(1454404629.071:363): avc:  denied  { search } for  pid=686 comm="systemd-logind" name="yp" dev="dm-0" ino=134323567 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
type=AVC msg=audit(1454404629.072:364): avc:  denied  { name_connect } for  pid=686 comm="systemd-logind" dest=111 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket

Version-Release number of selected component (if applicable):
[root@dell-per300-01 ~]# rpm -q ipa-client sssd selinux-policy
ipa-client-4.2.0-15.el7_2.5.x86_64
sssd-1.13.0-40.el7_2.1.x86_64
selinux-policy-3.13.1-60.el7_2.2.noarch
[root@dell-per300-01 ~]# 

How reproducible:
Always

Steps to Reproduce:
1. Setup an IPA server and and a NIS Server

2. Migrate all data from NIS server to IPA server.

3. Configure a NIS client with yp* tools to fetch data from IPA Server. 

4. Add a user on IPA master and try to execute su with that user on NIS client. No AVC is seen. User Deleted. 

5. Enroll NIS client machine of step 3 to IPA server as ipa client.

6. Same user of step 4 added again on IPA master.

7. Try to execute the su with step 6 user

Actual results:
Following AVC seen (Please find the attached 

type=AVC msg=audit(1454404629.071:363): avc:  denied  { search } for  pid=686 comm="systemd-logind" name="yp" dev="dm-0" ino=134323567 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
type=AVC msg=audit(1454404629.072:364): avc:  denied  { name_connect } for  pid=686 comm="systemd-logind" dest=111 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket

Expected results:
NO AVC should be there.

Additional info:

(1) Please find the attached beaker avc log file for reference.

Comment 2 Lukas Vrabec 2016-04-27 08:38:41 UTC

Hi, 

Could you set SELinux boolean "nis_enabled" on affected machine? 

# semanage boolean -m --on nis_enabled

Comment 4 Lukas Vrabec 2016-05-31 10:06:51 UTC

Thank you.

Closing as NOTABUG.

Note You need to log in before you can comment on or make changes to this bug.