2057261 – Overcloud deploy on RHEL 9 failing due to selinux issues with "Error: /Stage[main]/Pacemaker::Corosync/User[hacluster]/password: change from [redacted] to [redacted] failed: chpasswd said chpasswd: cannot execute /usr/sbin/sss_cache: Permission denied"

Bug 2057261 - Overcloud deploy on RHEL 9 failing due to selinux issues with "Error: /Stage[main]/Pacemaker::Corosync/User[hacluster]/password: change from [redacted] to [redacted] failed: chpasswd said chpasswd: cannot execute /usr/sbin/sss_cache: Permission denied"

Summary: Overcloud deploy on RHEL 9 failing due to selinux issues with "Error: /Stage[...

Keywords:
Status:	CLOSED DUPLICATE of bug 2054657
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	17.0 (Wallaby)
Hardware:	x86_64
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	Alpha
Target Release:	17.0
Assignee:	Cédric Jeanneret
QA Contact:	nlevinki
Docs Contact:
URL:
Whiteboard:
Depends On:	2054657 2057297
Blocks:
TreeView+	depends on / blocked

Reported:	2022-02-23 05:28 UTC by Sandeep Yadav
Modified:	2022-05-18 09:25 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-05-18 09:25:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Enforcing SELinux logs (13.53 KB, text/plain) 2022-02-23 06:10 UTC, Cédric Jeanneret	no flags	Details
Permissive SELinux logs (6.17 KB, text/plain) 2022-02-23 06:13 UTC, Cédric Jeanneret	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	OSP-12834	0	None	None	None	2022-02-23 05:30:27 UTC

Description Sandeep Yadav 2022-02-23 05:28:29 UTC

Description of problem:

We are trying OSP17 on rhel9, Overcloud deploy is failing with the below error:-

~~~
Error: /Stage[main]/Pacemaker::Corosync/User[hacluster]/password: change from [redacted] to [redacted] failed: chpasswd said chpasswd: cannot execute /usr/sbin/sss_cache: Permission denied
~~~

Version-Release number of selected component (if applicable):

RHOSP17 (on RHEL9)


How reproducible:

Everytime


Steps to Reproduce:
1. Deploy overcloud


Actual results:

Overcloud deploy failing with below traceback:-

~~~
2022-02-22 12:08:06 | 2022-02-22 12:08:06.123757 | fa163ea1-d0ad-10e9-a9b1-00000000481b |      FATAL | Wait for puppet host configuration to finish | overcloud-controller-1 | error={"ansible_job_id": "545067784986.20915", "attempts": 3, "changed": true, "cmd": "set -o pipefail; puppet apply  --modulepath=/etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules --detailed-exitcodes --summarize --color=false   /var/lib/tripleo-config/puppet_step_config.pp 2>&1 | logger -s -t puppet-user", "delta": "0:00:19.764054", "end": "2022-02-22 17:08:04.970211", "failed_when_result": true, "finished": 1, "msg": "non-zero return code", "rc": 6, "start": "2022-02-22 17:07:45.206157", "stderr": "<13>Feb 22 17:07:45 puppet-user: Warning: /etc/puppet/hiera.yaml: Use of 'hiera.yaml' version 3 is deprecated. It should be converted to version 5
<13>Feb 22 17:08:00 puppet-user:    (file: /etc/puppet/hiera.yaml)
<13>Feb 22 17:08:00 puppet-user: Warning: Undefined variable '::deploy_config_name'; 
<13>Feb 22 17:08:00 puppet-user:    (file & line not available)
<13>Feb 22 17:08:00 puppet-user: Warning: The function 'hiera' is deprecated in favor of using 'lookup'. See https://puppet.com/docs/puppet/7.10/deprecated_language.html
<13>Feb 22 17:08:00 puppet-user:    (file & line not available)
<13>Feb 22 17:08:00 puppet-user: Warning: Unknown variable: '::deployment_type'. (file: /etc/puppet/modules/tripleo/manifests/profile/base/database/mysql/client.pp, line: 89, column: 8)
<13>Feb 22 17:08:01 puppet-user: Warning: Unknown variable: '::deployment_type'. (file: /etc/puppet/modules/tripleo/manifests/packages.pp, line: 39, column: 69)
<13>Feb 22 17:08:01 puppet-user: Notice: Compiled catalog for overcloud-controller-1.localdomain in environment production in 0.76 seconds
<13>Feb 22 17:08:01 puppet-user: Notice: /Stage[main]/Tripleo::Profile::Base::Database::Mysql::Client/File[/etc/my.cnf.d/tripleo.cnf]/ensure: created
<13>Feb 22 17:08:01 puppet-user: Notice: /Stage[main]/Tripleo::Profile::Base::Database::Mysql::Client/Augeas[tripleo-mysql-client-conf]/returns: executed successfully
<13>Feb 22 17:08:02 puppet-user: Notice: /Stage[main]/Pacemaker::Service/Service[corosync]/enable: enable changed 'false' to 'true'
<13>Feb 22 17:08:02 puppet-user: Notice: /Stage[main]/Pacemaker::Service/Service[pacemaker]/enable: enable changed 'false' to 'true'
<13>Feb 22 17:08:02 puppet-user: Notice: /Stage[main]/Pacemaker::Corosync/File_line[pcsd_bind_addr]/ensure: created
<13>Feb 22 17:08:03 puppet-user: Error: chpasswd said chpasswd: cannot execute /usr/sbin/sss_cache: Permission denied
<13>Feb 22 17:08:03 puppet-user: chpasswd: cannot execute /usr/sbin/sss_cache: Permission denied
<13>Feb 22 17:08:03 puppet-user: Error: /Stage[main]/Pacemaker::Corosync/User[hacluster]/password: change from [redacted] to [redacted] failed: chpasswd said chpasswd: cannot execute /usr/sbin/sss_cache: Permission denied
<13>Feb 22 17:08:03 puppet-user: chpasswd: cannot execute /usr/sbin/sss_cache: Permission denied
<13>Feb 22 17:08:03 puppet-user: Notice: /Stage[main]/Pacemaker::Corosync/User[hacluster]/groups: groups changed  to ['haclient']
<13>Feb 22 17:08:03 puppet-user: Notice: /Stage[main]/Pacemaker::Service/Service[pcsd]: Dependency User[hacluster] has failures: true
<13>Feb 22 17:08:03 puppet-user: Warning: /Stage[main]/Pacemaker::Service/Service[pcsd]: Skipping because of failed dependencies
<13>Feb 22 17:08:03 puppet-user: Warning: /Stage[main]/Pacemaker::Corosync/Exec[reauthenticate-across-all-nodes]: Skipping because of failed dependencies
<13>Feb 22 17:08:03 puppet-user: Warning: /Stage[main]/Pacemaker::Corosync/Exec[auth-successful-across-all-nodes]: Skipping because of failed dependencies
<13>Feb 22 17:08:03 puppet-user: Warning: /Stage[main]/Pacemaker::Corosync/Exec[wait-for-settle]: Skipping because of failed dependencies
<13>Feb 22 17:08:03 puppet-user: Notice: /Stage[main]/Tripleo::Trusted_cas/Tripleo::Trusted_ca[overcloud-ca]/File[/etc/pki/ca-trust/source/anchors/overcloud-ca.pem]/ensure: defined content as '{sha256}3278056d50de2428c40e092dac71199c3e30125d7461cb2a66dc3f950bec458d'
<13>Feb 22 17:08:04 puppet-user: Notice: /Stage[main]/Tripleo::Trusted_cas/Tripleo::Trusted_ca[overcloud-ca]/Exec[trust-ca-overcloud-ca]: Triggered 'refresh' from 1 event
<13>Feb 22 17:08:04 puppet-user: Notice: /Stage[main]/Tripleo::Trusted_cas/Tripleo::Trusted_ca[undercloud-ca]/File[/etc/pki/ca-trust/source/anchors/undercloud-ca.pem]/ensure: defined content as '{sha256}14aa20c40298965f6b285134654770d74787a7fe568787ee693d0b5a6eefd8c2'
<13>Feb 22 17:08:04 puppet-user: Notice: /Stage[main]/Tripleo::Trusted_cas/Tripleo::Trusted_ca[undercloud-ca]/Exec[trust-ca-undercloud-ca]: Triggered 'refresh' from 1 event
<13>Feb 22 17:08:04 puppet-user: Notice: Applied catalog in 3.18 seconds
<13>Feb 22 17:08:04 puppet-user: Application:
<13>Feb 22 17:08:04 puppet-user:    Initial environment: production
<13>Feb 22 17:08:04 puppet-user:    Converged environment: production
<13>Feb 22 17:08:04 puppet-user:          Run mode: user
<13>Feb 22 17:08:04 puppet-user: Changes:
<13>Feb 22 17:08:04 puppet-user:             Total: 10
<13>Feb 22 17:08:04 puppet-user: Events:
<13>Feb 22 17:08:04 puppet-user:           Failure: 1
<13>Feb 22 17:08:04 puppet-user:           Success: 10
<13>Feb 22 17:08:04 puppet-user:             Total: 11
<13>Feb 22 17:08:04 puppet-user: Resources:
<13>Feb 22 17:08:04 puppet-user:            Failed: 1
<13>Feb 22 17:08:04 puppet-user:           Changed: 10
<13>Feb 22 17:08:04 puppet-user:       Out of sync: 10
<13>Feb 22 17:08:04 puppet-user:         Restarted: 2
<13>Feb 22 17:08:04 puppet-user:           Skipped: 4
<13>Feb 22 17:08:04 puppet-user:             Total: 27
<13>Feb 22 17:08:04 puppet-user: Time:
<13>Feb 22 17:08:04 puppet-user:        Filebucket: 0.00
<13>Feb 22 17:08:04 puppet-user:          Schedule: 0.00
<13>Feb 22 17:08:04 puppet-user:           Package: 0.00
<13>Feb 22 17:08:04 puppet-user:         File line: 0.00
<13>Feb 22 17:08:04 puppet-user:              File: 0.03
<13>Feb 22 17:08:04 puppet-user:            Augeas: 0.05
<13>Feb 22 17:08:04 puppet-user:              User: 0.15
<13>Feb 22 17:08:04 puppet-user:              Exec: 0.75
<13>Feb 22 17:08:04 puppet-user:    Config retrieval: 0.89
<13>Feb 22 17:08:04 puppet-user:           Service: 1.10
<13>Feb 22 17:08:04 puppet-user:          Last run: 1645549684
<13>Feb 22 17:08:04 puppet-user:    Transaction evaluation: 3.17
<13>Feb 22 17:08:04 puppet-user:    Catalog application: 3.18
<13>Feb 22 17:08:04 puppet-user:             Total: 3.18
<13>Feb 22 17:08:04 puppet-user: Version:
<13>Feb 22 17:08:04 puppet-user:            Config: 1645549680
<13>Feb 22 17:08:04 puppet-user:            Puppet: 7.10.0", "stderr_lines": ["<13>Feb 22 17:07:45 puppet-user: Warning: /etc/puppet/hiera.yaml: Use of 'hiera.yaml' version 3 is deprecated. It should be converted to version 5", "<13>Feb 22 17:08:00 puppet-user:    (file: /etc/puppet/hiera.yaml)", "<13>Feb 22 17:08:00 puppet-user: Warning: Undefined variable '::deploy_config_name'; ", "<13>Feb 22 17:08:00 puppet-user:    (file & line not available)", "<13>Feb 22 17:08:00 puppet-user: Warning: The function 'hiera' is deprecated in favor of using 'lookup'. See https://puppet.com/docs/puppet/7.10/deprecated_language.html", "<13>Feb 22 17:08:00 puppet-user:    (file & line not available)", "<13>Feb 22 17:08:00 puppet-user: Warning: Unknown variable: '::deployment_type'. (file: /etc/puppet/modules/tripleo/manifests/profile/base/database/mysql/client.pp, line: 89, column: 8)", "<13>Feb 22 17:08:01 puppet-user: Warning: Unknown variable: '::deployment_type'. (file: /etc/puppet/modules/tripleo/manifests/packages.pp, line: 39, column: 69)", "<13>Feb 22 17:08:01 puppet-user: Notice: Compiled catalog for overcloud-controller-1.localdomain in environment production in 0.76 seconds", "<13>Feb 22 17:08:01 puppet-user: Notice: /Stage[main]/Tripleo::Profile::Base::Database::Mysql::Client/File[/etc/my.cnf.d/tripleo.cnf]/ensure: created", "<13>Feb 22 17:08:01 puppet-user: Notice: /Stage[main]/Tripleo::Profile::Base::Database::Mysql::Client/Augeas[tripleo-mysql-client-conf]/returns: executed successfully", "<13>Feb 22 17:08:02 puppet-user: Notice: /Stage[main]/Pacemaker::Service/Service[corosync]/enable: enable changed 'false' to 'true'", "<13>Feb 22 17:08:02 puppet-user: Notice: /Stage[main]/Pacemaker::Service/Service[pacemaker]/enable: enable changed 'false' to 'true'", "<13>Feb 22 17:08:02 puppet-user: Notice: /Stage[main]/Pacemaker::Corosync/File_line[pcsd_bind_addr]/ensure: created", "<13>Feb 22 17:08:03 puppet-user: Error: chpasswd said chpasswd: cannot execute /usr/sbin/sss_cache: Permission denied", "<13>Feb 22 17:08:03 puppet-user: chpasswd: cannot execute /usr/sbin/sss_cache: Permission denied", "<13>Feb 22 17:08:03 puppet-user: Error: /Stage[main]/Pacemaker::Corosync/User[hacluster]/password: change from [redacted] to [redacted] failed: chpasswd said chpasswd: cannot execute /usr/sbin/sss_cache: Permission denied", "<13>Feb 22 17:08:03 puppet-user: chpasswd: cannot execute /usr/sbin/sss_cache: Permission denied", "<13>Feb 22 17:08:03 puppet-user: Notice: /Stage[main]/Pacemaker::Corosync/User[hacluster]/groups: groups changed  to ['haclient']", "<13>Feb 22 17:08:03 puppet-user: Notice: /Stage[main]/Pacemaker::Service/Service[pcsd]: Dependency User[hacluster] has failures: true", "<13>Feb 22 17:08:03 puppet-user: Warning: /Stage[main]/Pacemaker::Service/Service[pcsd]: Skipping because of failed dependencies", "<13>Feb 22 17:08:03 puppet-user: Warning: /Stage[main]/Pacemaker::Corosync/Exec[reauthenticate-across-all-nodes]: Skipping because of failed dependencies", "<13>Feb 22 17:08:03 puppet-user: Warning: /Stage[main]/Pacemaker::Corosync/Exec[auth-successful-across-all-nodes]: Skipping because of failed dependencies", "<13>Feb 22 17:08:03 puppet-user: Warning: /Stage[main]/Pacemaker::Corosync/Exec[wait-for-settle]: Skipping because of failed dependencies", "<13>Feb 22 17:08:03 puppet-user: Notice: /Stage[main]/Tripleo::Trusted_cas/Tripleo::Trusted_ca[overcloud-ca]/File[/etc/pki/ca-trust/source/anchors/overcloud-ca.pem]/ensure: defined content as '{sha256}3278056d50de2428c40e092dac71199c3e30125d7461cb2a66dc3f950bec458d'", "<13>Feb 22 17:08:04 puppet-user: Notice: /Stage[main]/Tripleo::Trusted_cas/Tripleo::Trusted_ca[overcloud-ca]/Exec[trust-ca-overcloud-ca]: Triggered 'refresh' from 1 event", "<13>Feb 22 17:08:04 puppet-user: Notice: /Stage[main]/Tripleo::Trusted_cas/Tripleo::Trusted_ca[undercloud-ca]/File[/etc/pki/ca-trust/source/anchors/undercloud-ca.pem]/ensure: defined content as '{sha256}14aa20c40298965f6b285134654770d74787a7fe568787ee693d0b5a6eefd8c2'", "<13>Feb 22 17:08:04 puppet-user: Notice: /Stage[main]/Tripleo::Trusted_cas/Tripleo::Trusted_ca[undercloud-ca]/Exec[trust-ca-undercloud-ca]: Triggered 'refresh' from 1 event", "<13>Feb 22 17:08:04 puppet-user: Notice: Applied catalog in 3.18 seconds", "<13>Feb 22 17:08:04 puppet-user: Application:", "<13>Feb 22 17:08:04 puppet-user:    Initial environment: production", "<13>Feb 22 17:08:04 puppet-user:    Converged environment: production", "<13>Feb 22 17:08:04 puppet-user:          Run mode: user", "<13>Feb 22 17:08:04 puppet-user: Changes:", "<13>Feb 22 17:08:04 puppet-user:             Total: 10", "<13>Feb 22 17:08:04 puppet-user: Events:", "<13>Feb 22 17:08:04 puppet-user:           Failure: 1", "<13>Feb 22 17:08:04 puppet-user:           Success: 10", "<13>Feb 22 17:08:04 puppet-user:             Total: 11", "<13>Feb 22 17:08:04 puppet-user: Resources:", "<13>Feb 22 17:08:04 puppet-user:            Failed: 1", "<13>Feb 22 17:08:04 puppet-user:           Changed: 10", "<13>Feb 22 17:08:04 puppet-user:       Out of sync: 10", "<13>Feb 22 17:08:04 puppet-user:         Restarted: 2", "<13>Feb 22 17:08:04 puppet-user:           Skipped: 4", "<13>Feb 22 17:08:04 puppet-user:             Total: 27", "<13>Feb 22 17:08:04 puppet-user: Time:", "<13>Feb 22 17:08:04 puppet-user:        Filebucket: 0.00", "<13>Feb 22 17:08:04 puppet-user:          Schedule: 0.00", "<13>Feb 22 17:08:04 puppet-user:           Package: 0.00", "<13>Feb 22 17:08:04 puppet-user:         File line: 0.00", "<13>Feb 22 17:08:04 puppet-user:              File: 0.03", "<13>Feb 22 17:08:04 puppet-user:            Augeas: 0.05", "<13>Feb 22 17:08:04 puppet-user:              User: 0.15", "<13>Feb 22 17:08:04 puppet-user:              Exec: 0.75", "<13>Feb 22 17:08:04 puppet-user:    Config retrieval: 0.89", "<13>Feb 22 17:08:04 puppet-user:           Service: 1.10", "<13>Feb 22 17:08:04 puppet-user:          Last run: 1645549684", "<13>Feb 22 17:08:04 puppet-user:    Transaction evaluation: 3.17", "<13>Feb 22 17:08:04 puppet-user:    Catalog application: 3.18", "<13>Feb 22 17:08:04 puppet-user:             Total: 3.18", "<13>Feb 22 17:08:04 puppet-user: Version:", "<13>Feb 22 17:08:04 puppet-user:            Config: 1645549680", "<13>Feb 22 17:08:04 puppet-user:            Puppet: 7.10.0"], "stdout": "", "stdout_lines": []}
~~~


Expected results:

Deployment should pass


Additional info:

Comment 2 Cédric Jeanneret 2022-02-23 06:10:52 UTC

Created attachment 1862796 [details]
Enforcing SELinux logs

Attached: the SELinux logs that seems to be related to the issue. Those are enforcing - I'll upload the permissive one right after since we can't add multiple files at the same time :(

Comment 3 Cédric Jeanneret 2022-02-23 06:13:02 UTC

Created attachment 1862797 [details]
Permissive SELinux logs

And here are the permissive logs. Same deploy, setting permissive in the t-h-t parameters. This means we see a couple of lines with "permissive=0" - those denials happens before the actual deploy kicks in.

The actual lines of interest are:

type=AVC msg=audit(1645545100.900:7516): avc:  denied  { execute } for  pid=20572 comm="chpasswd" name="sss_cache" dev="dm-0" ino=469841 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1645545100.900:7516): avc:  denied  { read open } for  pid=20572 comm="chpasswd" path="/usr/sbin/sss_cache" dev="dm-0" ino=469841 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1645545100.900:7516): avc:  denied  { execute_no_trans } for  pid=20572 comm="chpasswd" path="/usr/sbin/sss_cache" dev="dm-0" ino=469841 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_exec_t:s0 tclass=file permissive=1

The others are more noise than anything for this issue.

Comment 4 Cédric Jeanneret 2022-02-23 06:18:17 UTC

Adding Julie, since it's related to SELinux (probably more SELinux than puppet-pacemaker, hence changing the component to openstack-selinux for a better assignation).

I'll also check if there are known issues related to those context/exec - some of the "other noises" are actually known already.

Comment 8 Ade Lee 2022-05-03 22:07:15 UTC

FYI, I ran into further issues when trying to test with FIPS enabled.  The deployment succeeds with selinux set to permissive.

In this case, I had:
selinux-policy-34.1.28-1.el9_0.noarch

#============= sssd_t ==============
allow sssd_t unlabeled_t:file { getattr read setattr write };


type=AVC msg=audit(1651257421.428:139): avc:  denied  { unlink } for  pid=1090 comm="ldconfig" name="aux-cache" dev="dm-2" ino=1061755 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0            
type=AVC msg=audit(1651257423.533:171): avc:  denied  { search } for  pid=1318 comm="modprobe" name="events" dev="tracefs" ino=57 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0     
type=AVC msg=audit(1651257423.533:171): avc:  denied  { search } for  pid=1318 comm="modprobe" name="events" dev="tracefs" ino=57 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0     
type=AVC msg=audit(1651258249.544:7140): avc:  denied  { setattr } for  pid=19678 comm="sss_cache" name="config.ldb" dev="dm-2" ino=672 scontext=unconfined_u:unconfined_r:sssd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permiss
ive=0                                                                                                                                                                                                                                                         
type=AVC msg=audit(1651258249.545:7141): avc:  denied  { getattr } for  pid=19678 comm="sss_cache" path="/var/lib/sss/db/config.ldb" dev="dm-2" ino=672 scontext=unconfined_u:unconfined_r:sssd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tcl
ass=file permissive=0                                                                                                                                                                                                                                         
type=AVC msg=audit(1651258249.545:7142): avc:  denied  { read write } for  pid=19678 comm="sss_cache" name="config.ldb" dev="dm-2" ino=672 scontext=unconfined_u:unconfined_r:sssd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file perm
issive=0                                                                                                                                                                                                                                                      
type=AVC msg=audit(1651258249.617:7143): avc:  denied  { setattr } for  pid=19680 comm="sss_cache" name="config.ldb" dev="dm-2" ino=672 scontext=unconfined_u:unconfined_r:sssd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permiss
ive=0                                                                                                                                                                                                                                                         
type=AVC msg=audit(1651258249.617:7144): avc:  denied  { getattr } for  pid=19680 comm="sss_cache" path="/var/lib/sss/db/config.ldb" dev="dm-2" ino=672 scontext=unconfined_u:unconfined_r:sssd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tcl
ass=file permissive=0                                                                                                                                                                                                                                         
type=AVC msg=audit(1651258249.617:7145): avc:  denied  { read write } for  pid=19680 comm="sss_cache" name="config.ldb" dev="dm-2" ino=672 scontext=unconfined_u:unconfined_r:sssd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file perm
issive=0                                                                                                                                                                                                                                                      
type=AVC msg=audit(1651258369.081:7252): avc:  denied  { setattr } for  pid=34256 comm="sss_cache" name="config.ldb" dev="dm-2" ino=672 scontext=unconfined_u:unconfined_r:sssd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permiss
ive=0                                                                                                                                                                                                                                                         
type=AVC msg=audit(1651258369.081:7253): avc:  denied  { getattr } for  pid=34256 comm="sss_cache" path="/var/lib/sss/db/config.ldb" dev="dm-2" ino=672 scontext=unconfined_u:unconfined_r:sssd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tcl
ass=file permissive=0                                                                                                                                                                                                                                         
type=AVC msg=audit(1651258369.081:7254): avc:  denied  { read write } for  pid=34256 comm="sss_cache" name="config.ldb" dev="dm-2" ino=672 scontext=unconfined_u:unconfined_r:sssd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file perm
issive=0                                                                                                                                                                                                                                                      
type=AVC msg=audit(1651258369.159:7255): avc:  denied  { setattr } for  pid=34258 comm="sss_cache" name="config.ldb" dev="dm-2" ino=672 scontext=unconfined_u:unconfined_r:sssd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permiss
ive=0                                                                                                                                                                                                                                                         
type=AVC msg=audit(1651258369.159:7256): avc:  denied  { getattr } for  pid=34258 comm="sss_cache" path="/var/lib/sss/db/config.ldb" dev="dm-2" ino=672 scontext=unconfined_u:unconfined_r:sssd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tcl
ass=file permissive=0                                                                                                                                                                                                                                         
type=AVC msg=audit(1651258369.159:7257): avc:  denied  { read write } for  pid=34258 comm="sss_cache" name="config.ldb" dev="dm-2" ino=672 scontext=unconfined_u:unconfined_r:sssd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file per$issive=0
type=AVC msg=audit(1651258369.261:7259): avc:  denied  { setattr } for  pid=34263 comm="sss_cache" name="config.ldb" dev="dm-2" ino=672 scontext=unconfined_u:unconfined_r:sssd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permis$ive=0
type=AVC msg=audit(1651258369.261:7260): avc:  denied  { getattr } for  pid=34263 comm="sss_cache" path="/var/lib/sss/db/config.ldb" dev="dm-2" ino=672 scontext=unconfined_u:unconfined_r:sssd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tc$ass=file permissive=0
type=AVC msg=audit(1651258369.261:7261): avc:  denied  { read write } for  pid=34263 comm="sss_cache" name="config.ldb" dev="dm-2" ino=672 scontext=unconfined_u:unconfined_r:sssd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file per$issive=0
type=AVC msg=audit(1651258369.344:7262): avc:  denied  { setattr } for  pid=34266 comm="sss_cache" name="config.ldb" dev="dm-2" ino=672 scontext=unconfined_u:unconfined_r:sssd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permis$ive=0
type=AVC msg=audit(1651258369.345:7263): avc:  denied  { getattr } for  pid=34266 comm="sss_cache" path="/var/lib/sss/db/config.ldb" dev="dm-2" ino=672 scontext=unconfined_u:unconfined_r:sssd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tc$ass=file permissive=0
type=AVC msg=audit(1651258369.345:7264): avc:  denied  { read write } for  pid=34266 comm="sss_cache" name="config.ldb" dev="dm-2" ino=672 scontext=unconfined_u:unconfined_r:sssd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file per$issive=0

Comment 9 Yaniv Kaul 2022-05-11 12:49:53 UTC

Does it work on RHEL 8? I assume it does, but want to ensure it's RHEL 9 specific issue.

Comment 13 Sandeep Yadav 2022-05-18 09:25:39 UTC

Closing duplicate of [1], Issue solved after latest selinux package.


[1] https://bugzilla.redhat.com/show_bug.cgi?id=2054657

*** This bug has been marked as a duplicate of bug 2054657 ***

Note You need to log in before you can comment on or make changes to this bug.