Bug 1654592 - chpasswd gets SELinux denial: Unable to open config database [/var/lib/sss/db/config.ldb]
Summary: chpasswd gets SELinux denial: Unable to open config database [/var/lib/sss/db...
Keywords:
Status: CLOSED DUPLICATE of bug 1651531
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.0
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On: 1640255 1649305
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-29 07:57 UTC by Martin Pitt
Modified: 2018-12-07 18:20 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1649305
Environment:
Last Closed: 2018-12-05 10:43:36 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Description Martin Pitt 2018-11-29 07:57:59 UTC
+++ This bug was initially created as a clone of Bug #1649305 +++

Description of problem: A recent Fedora 29 with testing repos enabled causes this new SELinux violation:

# journalctl -b | grep type=14
Nov 13 05:52:34 localhost.localdomain kernel: audit: type=1400 audit(1542106354.631:368): avc:  denied  { write } for  pid=1925 comm="sss_cache" name="config.ldb" dev="dm-0" ino=8744743 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0


Version-Release number of selected component (if applicable):
shadow-utils-4.6-4.fc29.x86_64 (provides chpasswd)
sssd-2.0.0-4.fc29.x86_64
selinux-policy-3.14.2-42.fc29.noarch
kernel-4.18.17-300.fc29.x86_64


How reproducible: Always


Steps to Reproduce:
1. Create current Fedora 29 with testing repositories enabled and SELinux installed
2. Create a test user
3. Try to change password of test user with chpasswd

Actual results:

[root@localhost ~]# journalctl -b | grep type=14

[root@localhost ~]# chpasswd
test:foobar  
(Tue Nov 13 05:52:34:643059 2018) [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb]
Could not open available domains
chpasswd: sss_cache exited with status 5
chpasswd: Failed to flush the sssd cache.
(Tue Nov 13 05:52:34:675252 2018) [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb]
Could not open available domains
chpasswd: sss_cache exited with status 5
chpasswd: Failed to flush the sssd cache.

[root@localhost ~]# journalctl -b | grep type=14
Nov 13 05:52:34 localhost.localdomain kernel: audit: type=1400 audit(1542106354.631:368): avc:  denied  { write } for  pid=1925 comm="sss_cache" name="config.ldb" dev="dm-0" ino=8744743 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0
Nov 13 05:52:34 localhost.localdomain kernel: audit: type=1400 audit(1542106354.674:369): avc:  denied  { write } for  pid=1927 comm="sss_cache" name="config.ldb" dev="dm-0" ino=8744743 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0

Comment 1 Martin Pitt 2018-11-29 07:59:06 UTC
Cloning bug, as this now slipped into the most recent RHEL 8 nightlies.

selinux-policy-3.14.1-47.el8.noarch

Comment 2 Milos Malik 2018-11-29 21:25:58 UTC
I believe this bug is a duplicate of BZ#1651531.

Comment 3 Lukas Vrabec 2018-12-05 10:43:36 UTC

*** This bug has been marked as a duplicate of bug 1651531 ***


Note You need to log in before you can comment on or make changes to this bug.