This issue happens with https://bodhi.fedoraproject.org/updates/FEDORA-2017-46d55b2108 Dec 04 10:12:36 pessoa audit[3989]: AVC avc: denied { execstack } for pid=3989 comm="sssd_pac" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0 Dec 04 10:12:36 pessoa sssd[3982]: /usr/libexec/sssd/sssd_pac: error while loading shared libraries: libaesni-intel-samba4.so: cannot enable executable stack as shared object requires: Permission denied Dec 04 10:12:39 pessoa dbus-daemon[965]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.31' (uid=0 pid=933 comm="/usr/sbin/sedispatch " label="system_u:system_r:audisp_t:s0") (using servicehelper) Dec 04 10:12:40 pessoa dbus-daemon[965]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Dec 04 10:12:43 pessoa setroubleshoot[3991]: SELinux is preventing sssd_pac from using the execstack access on a process. For complete SELinux messages run: sealert -l c7db38d4-80d7-4a9f-890e-3522b2b11231 Dec 04 10:12:43 pessoa python3[3991]: SELinux is preventing sssd_pac from using the execstack access on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sssd_pac should be allowed execstack access on processes labeled sssd_t by default Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sssd_pac' --raw | audit2allow -M my-sssdpac # semodule -X 300 -i my-sssdpac.pp Please, let me know if some info is needed.
I would say that it is related to the update 4.7.3-1 "Enable AES acceleration on Intel compatible CPUs by default" But I do not think we should allow executing something on stack. execstack Make the main process stack executable. And if really want that then there should be a boolean which is disabled by default. Anyway moving to samba.
JFYI, sssd_pac just links libndr-krb5pac.so to parse (the already decrypted) NDR encoded PAC. Is libaesni-intel-samba4.so really needed for NDR processing? (The next question would be if the performance improvement really justifies the risks of an executable stack?)
Seems that the issue may actually be on Samba side (https://bugzilla.redhat.com/show_bug.cgi?id=1520163). Andreas is doing a new build and I'll close this bug if his build solves the issue.
Okay, this bug is actually a DUP of 1520163. *** This bug has been marked as a duplicate of bug 1520163 ***
JFTR: I've tested https://koji.fedoraproject.org/koji/taskinfo?taskID=23542441