Bug 1649305 - chpasswd gets SELinux denial: Unable to open config database [/var/lib/sss/db/config.ldb]
Summary: chpasswd gets SELinux denial: Unable to open config database [/var/lib/sss/db...
Keywords:
Status: CLOSED DUPLICATE of bug 1640255
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 29
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1654592
TreeView+ depends on / blocked
 
Reported: 2018-11-13 11:10 UTC by Katerina Koukiou
Modified: 2018-12-07 13:22 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1654592 (view as bug list)
Environment:
Last Closed: 2018-12-07 13:22:19 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Katerina Koukiou 2018-11-13 11:10:03 UTC 
Description of problem: A recent Fedora 29 with testing repos enabled causes this new SELinux violation:

# journalctl -b | grep type=14
Nov 13 05:52:34 localhost.localdomain kernel: audit: type=1400 audit(1542106354.631:368): avc:  denied  { write } for  pid=1925 comm="sss_cache" name="config.ldb" dev="dm-0" ino=8744743 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0


Version-Release number of selected component (if applicable):
shadow-utils-4.6-4.fc29.x86_64 (provides chpasswd)
sssd-2.0.0-4.fc29.x86_64
selinux-policy-3.14.2-42.fc29.noarch
kernel-4.18.17-300.fc29.x86_64


How reproducible: Always


Steps to Reproduce:
1. Create current Fedora 29 with testing repositories enabled and SELinux installed
2. Create a test user
3. Try to change password of test user with chpasswd

Actual results:

[root@localhost ~]# journalctl -b | grep type=14

[root@localhost ~]# chpasswd
test:foobar  
(Tue Nov 13 05:52:34:643059 2018) [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb]
Could not open available domains
chpasswd: sss_cache exited with status 5
chpasswd: Failed to flush the sssd cache.
(Tue Nov 13 05:52:34:675252 2018) [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb]
Could not open available domains
chpasswd: sss_cache exited with status 5
chpasswd: Failed to flush the sssd cache.

[root@localhost ~]# journalctl -b | grep type=14
Nov 13 05:52:34 localhost.localdomain kernel: audit: type=1400 audit(1542106354.631:368): avc:  denied  { write } for  pid=1925 comm="sss_cache" name="config.ldb" dev="dm-0" ino=8744743 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0
Nov 13 05:52:34 localhost.localdomain kernel: audit: type=1400 audit(1542106354.674:369): avc:  denied  { write } for  pid=1927 comm="sss_cache" name="config.ldb" dev="dm-0" ino=8744743 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0
Comment 1 Lukas Slebodnik 2018-12-07 13:22:19 UTC 

*** This bug has been marked as a duplicate of bug 1640255 ***
Note You need to log in before you can comment on or make changes to this bug.