Bug 1731066 - SELinux is preventing sssd_be and cockpit_ssh from search access to krb5
Summary: SELinux is preventing sssd_be and cockpit_ssh from search access to krb5
Keywords:
Status: CLOSED DUPLICATE of bug 1730144
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Lukas Vrabec
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-18 09:20 UTC by Matej Marušák
Modified: 2019-07-18 11:30 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-18 11:30:10 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Description Matej Marušák 2019-07-18 09:20:19 UTC
Description of problem:
In the newest rhel-8.1 update of cockpit testing VM (https://github.com/cockpit-project/cockpit/pull/12348) tests see this unexpected AVCs in logs:

audit: type=1400 audit(1563371925.700:5): avc:  denied  { search } for  pid=1904 comm="sssd_be" name="krb5" dev="dm-0" ino=25486347 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0

audit: type=1400 audit(1563372302.428:5): avc:  denied  { search } for  pid=2019 comm="cockpit-ssh" name="krb5" dev="dm-0" ino=25486347 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0


Version-Release number of selected component (if applicable):
$ rpm -q selinux-policy
selinux-policy-3.14.3-11.el8.noarch

Comment 1 Lukas Vrabec 2019-07-18 11:30:10 UTC

*** This bug has been marked as a duplicate of bug 1730144 ***


Note You need to log in before you can comment on or make changes to this bug.