Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
> type=AVC msg=audit(1594283288.118:2290): avc: denied { execute } for pid=25919 comm="adcli" name="net" dev="vda3" ino=8524199 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:samba_net_exec_t:s0 tclass=file permissive=0
> type=AVC msg=audit(1594283288.118:2291): avc: denied { execute } for pid=25919 comm="adcli" name="net" dev="vda3" ino=8524199 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:samba_net_exec_t:s0 tclass=file permissive=0
sssd does not execute /usr/bin/net directly.
It might be good to have type transition for adcli the same was as for sssd selinux manager.
sh# sesearch -T -s sssd_t -c process
type_transition sssd_t abrt_helper_exec_t:process abrt_helper_t;
type_transition sssd_t chkpwd_exec_t:process chkpwd_t;
type_transition sssd_t sssd_selinux_manager_exec_t:process sssd_selinux_manager_t;
type_transition sssd_t updpwd_exec_t:process updpwd_t;
But that would probably require different fcontext for /usr/bin/adcli
sh# matchpathcon /usr/bin/adcli
/usr/bin/adcli system_u:object_r:bin_t:s0
sh# matchpathcon /usr/bin/net
/usr/bin/net system_u:object_r:samba_net_exec_t:s0
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2021:4420
Comment 21Red Hat Bugzilla
2023-09-15 00:34:04 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days
Description of problem: selinux prevents adcli from executing /usr/bin/net command through sssd. process. adcli when called through sssd fails to execute /usr/bin/net command. <snip> type=AVC msg=audit(1594283288.118:2290): avc: denied { execute } for pid=25919 comm="adcli" name="net" dev="vda3" ino=8524199 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:samba_net_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(1594283288.118:2291): avc: denied { execute } for pid=25919 comm="adcli" name="net" dev="vda3" ino=8524199 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:samba_net_exec_t:s0 tclass=file permissive=0 </snip> Version-Release number of selected component (if applicable): selinux-policy-targeted-3.14.3-48.el8.noarch libselinux-2.9-3.el8.x86_64 selinux-policy-3.14.3-48.el8.noarch libselinux-utils-2.9-3.el8.x86_64 sssd-2.3.0-4.el8.x86_64 How reproducible: 1. Join to AD using adcli and membership software samba $ realm join T2ADPY12R83G.COM --client-software=sssd --server-software=active-directory --membership-software=samba -v 2. Modify sssd.conf to specify ad_update_samba_machine_account_password = True 3. Reset machine password (setpwdLastSet=0) 4. Restart sssd Actual results: sssd calls adcli which adds some data by calling /usr/bin/net command . and this fails. From the sssd domain logs: * Trying to set Samba secret. ! Cannot run [/usr/bin/net]: [13][Permission denied]. ! Failed to set Samba computer account password. * Trying to set domain SID S-1-5-21-3755728407-3718717906-4106828179 for Samba. ! Cannot run [/usr/bin/net]: [13][Permission denied]. ! Failed to set Samba domain SID. * Failed to add Samba specific data, smbd or winbindd might not work as expected. Expected results: adcli when called through sssd process should be able to execute /usr/bin/net command. Additional info: AVC denial message in audit logs: type=AVC msg=audit(1594283288.118:2290): avc: denied { execute } for pid=25919 comm="adcli" name="net" dev="vda3" ino=8524199 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:samba_net_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(1594283288.118:2291): avc: denied { execute } for pid=25919 comm="adcli" name="net" dev="vda3" ino=8524199 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:samba_net_exec_t:s0 tclass=file permissive=0 [root@vm-10-0-110-34 sssd]# ls -lZ /usr/sbin/adcli -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 162504 Jun 15 10:33 /usr/sbin/adcli [root@vm-10-0-110-34 sssd]# ps -efZ | grep sssd system_u:system_r:sssd_t:s0 root 25901 1 0 04:27 ? 00:00:00 /usr/sbin/sssd -i --logger=files system_u:system_r:sssd_t:s0 root 25902 25901 0 04:27 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files system_u:system_r:sssd_t:s0 root 25903 25901 0 04:27 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain t2adpy12r83g.com --uid 0 --gid 0 --logger=files system_u:system_r:sssd_t:s0 root 25904 25901 0 04:27 ? 00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files system_u:system_r:sssd_t:s0 root 25905 25901 0 04:27 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 26746 26044 0 05:09 pts/0 00:00:00 grep --color=auto sssd [root@vm-10-0-110-34 sssd]# which net /usr/bin/net [root@vm-10-0-110-34 sssd]# ls -lZ /usr/bin/net -rwxr-xr-x. 1 root root system_u:object_r:samba_net_exec_t:s0 948448 Jul 1 05:24 /usr/bin/net <sssd.conf> [sssd] domains = t2adpy12r83g.com config_file_version = 2 services = nss, pam [domain/t2adpy12r83g.com] ad_domain = t2adpy12r83g.com krb5_realm = T2ADPY12R83G.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad ad_maximum_machine_account_password_age = 1 ad_machine_account_password_renewal_opts = 300:15 ad_update_samba_machine_account_password = True debug_level = 9 </sssd.conf>