Hide Forgot
Description of problem: krb5_child fails to retrieve a ticket from the KDC via HTTPS(TCP[KDCproxy])causing SSSD to not complete authentication. Version-Release number of selected component (if applicable): [root@lbclient03 ~]# rpm -qa | grep ipa-client ipa-client-4.2.0-15.el7_2.19.x86_64 How reproducible: Always Steps to Reproduce: 1. Configure krb5.conf to use a KDCProxy (https) 2. Ensure SELinux is enabled 3. Attempt to authenticate Actual results: krb5_child is denied TCP access by SELinux and isn't able to contact the KDC which prevents SSSD from completing the authentication. Expected results: krb5_child should be allowed TCP access to reach the KDC and get a ticket to allow SSSD to complete authentication Additional info: type=AVC msg=audit(1480082500.050:730): avc: denied { name_connect } for pid=3880 comm="krb5_child" dest=443 scontext=system_u:system_r:sssd_t:s0 --- log snippets --- [root@lbclient03 ~]# grep AVC /var/log/audit/audit.log | egrep "sssd|krb5" | less type=AVC msg=audit(1480081889.294:504): avc: denied { name_connect } for pid=3583 comm="krb5_child" dest=443 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1480081889.295:505): avc: denied { name_connect } for pid=3583 comm="krb5_child" dest=443 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1480081889.310:506): avc: denied { name_connect } for pid=3585 comm="krb5_child" dest=443 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket type=USER_AVC msg=audit(1480082399.544:688): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1480082490.434:710): avc: denied { name_connect } for pid=3850 comm="krb5_child" dest=443 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket type=USER_AVC msg=audit(1480082498.108:720): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=3) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1480082500.050:730): avc: denied { name_connect } for pid=3880 comm="krb5_child" dest=443 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
I tested on rhel7.3 and it should work there sh# audit2why < pok.avc type=AVC msg=audit(1480081889.310:506): avc: denied { name_connect } for pid=3585 comm="krb5_child" dest=443 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. sh# rpm -q selinux-policy selinux-policy-3.13.1-102.el7_3.4.noarch
Yes, the fix is present in RHEL-7.3: # rpm -qa selinux-policy\* selinux-policy-targeted-3.13.1-102.el7_3.4.noarch selinux-policy-3.13.1-102.el7_3.4.noarch selinux-policy-devel-3.13.1-102.el7_3.4.noarch # sesearch -s sssd_t -t http_port_t -c tcp_socket -p name_connect -A -C Found 2 semantic av rules: allow sssd_t http_port_t : tcp_socket name_connect ; DT allow nsswitch_domain reserved_port_type : tcp_socket name_connect ; [ nis_enabled ] #
Aly, could you please open a customer case to facilitate a back port to RHEL 7.2?
Alexander, No problem. I will open a ticket. Thank you very much Aly
This should be backported from Fedora.
Alexander, I have opened a ticket for this issue on behalf of the client to have this back-ported to 7.2 I will email you the case number directly. Aly