RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1654592 - chpasswd gets SELinux denial: Unable to open config database [/var/lib/sss/db/config.ldb]
Summary: chpasswd gets SELinux denial: Unable to open config database [/var/lib/sss/db...
Keywords:
Status: CLOSED DUPLICATE of bug 1651531
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.0
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On: 1640255 1649305
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-29 07:57 UTC by Martin Pitt
Modified: 2018-12-07 18:20 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1649305
Environment:
Last Closed: 2018-12-05 10:43:36 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Martin Pitt 2018-11-29 07:57:59 UTC 
+++ This bug was initially created as a clone of Bug #1649305 +++

Description of problem: A recent Fedora 29 with testing repos enabled causes this new SELinux violation:

# journalctl -b | grep type=14
Nov 13 05:52:34 localhost.localdomain kernel: audit: type=1400 audit(1542106354.631:368): avc:  denied  { write } for  pid=1925 comm="sss_cache" name="config.ldb" dev="dm-0" ino=8744743 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0


Version-Release number of selected component (if applicable):
shadow-utils-4.6-4.fc29.x86_64 (provides chpasswd)
sssd-2.0.0-4.fc29.x86_64
selinux-policy-3.14.2-42.fc29.noarch
kernel-4.18.17-300.fc29.x86_64


How reproducible: Always


Steps to Reproduce:
1. Create current Fedora 29 with testing repositories enabled and SELinux installed
2. Create a test user
3. Try to change password of test user with chpasswd

Actual results:

[root@localhost ~]# journalctl -b | grep type=14

[root@localhost ~]# chpasswd
test:foobar  
(Tue Nov 13 05:52:34:643059 2018) [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb]
Could not open available domains
chpasswd: sss_cache exited with status 5
chpasswd: Failed to flush the sssd cache.
(Tue Nov 13 05:52:34:675252 2018) [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb]
Could not open available domains
chpasswd: sss_cache exited with status 5
chpasswd: Failed to flush the sssd cache.

[root@localhost ~]# journalctl -b | grep type=14
Nov 13 05:52:34 localhost.localdomain kernel: audit: type=1400 audit(1542106354.631:368): avc:  denied  { write } for  pid=1925 comm="sss_cache" name="config.ldb" dev="dm-0" ino=8744743 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0
Nov 13 05:52:34 localhost.localdomain kernel: audit: type=1400 audit(1542106354.674:369): avc:  denied  { write } for  pid=1927 comm="sss_cache" name="config.ldb" dev="dm-0" ino=8744743 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0
Comment 1 Martin Pitt 2018-11-29 07:59:06 UTC 
Cloning bug, as this now slipped into the most recent RHEL 8 nightlies.

selinux-policy-3.14.1-47.el8.noarch
Comment 2 Milos Malik 2018-11-29 21:25:58 UTC 
I believe this bug is a duplicate of BZ#1651531.
Comment 3 Lukas Vrabec 2018-12-05 10:43:36 UTC 

*** This bug has been marked as a duplicate of bug 1651531 ***
Note You need to log in before you can comment on or make changes to this bug.