Red Hat Bugzilla – Bug 713078
SELinux is preventing krb5_child (sssd_t) "search" to ./home (home_root_t)
Last modified: 2012-10-16 07:03:07 EDT
Summary: SELinux is preventing krb5_child (sssd_t) "search" to ./home (home_root_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by krb5_child. It is not expected that this access is required by krb5_child and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./home, restorecon -v './home' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:system_r:sssd_t Target Context system_u:object_r:home_root_t Target Objects ./home [ dir ] Source krb5_child Source Path /usr/libexec/sssd/krb5_child Port <Unknown> Host jetfire.lab.eng.pnq.redhat.com Source RPM Packages sssd-1.5.1-36.el5 Target RPM Packages filesystem-2.4.0-3.el5 Policy RPM selinux-policy-2.4.6-311.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name jetfire.lab.eng.pnq.redhat.com Platform Linux jetfire.lab.eng.pnq.redhat.com 2.6.18-267.el5 #1 SMP Wed Jun 8 15:17:49 EDT 2011 x86_64 x86_64 Alert Count 143 First Seen Wed May 18 16:16:45 2011 Last Seen Tue Jun 14 13:45:15 2011 Local ID 511aee74-a4f7-4c02-ac6b-aaa14df172d0 Line Numbers Raw Audit Messages host=jetfire.lab.eng.pnq.redhat.com type=AVC msg=audit(1308039315.847:43): avc: denied { search } for pid=2626 comm="krb5_child" name="home" dev=dm-0 ino=323841 scontext=root:system_r:sssd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir host=jetfire.lab.eng.pnq.redhat.com type=SYSCALL msg=audit(1308039315.847:43): arch=c000003e syscall=21 success=yes exit=0 a0=1b183f50 a1=0 a2=1b185ff0 a3=0 items=0 ppid=2551 pid=2626 auid=0 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=1 comm="krb5_child" exe="/usr/libexec/sssd/krb5_child" subj=root:system_r:sssd_t:s0 key=(null) How reproducible: Always Steps to Reproduce: 1. domain section of sssd.conf [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = default debug_level = 9 [nss] filter_groups = root filter_users = root reconnection_retries = 3 debug_level = 9 [pam] reconnection_retries = 3 debug_level = 9 [domain/default] debug_level = 9 id_provider = ldap ldap_uri = ldap://cobra.lab.eng.pnq.redhat.com ldap_search_base = dc=example,dc=com auth_provider = krb5 access_provider = krb5 krb5_server = cobra.lab.eng.pnq.redhat.com krb5_realm = EXAMPLE.COM 2. add user puser1(home dir set to /home/puser1), to ldap and kerberos 3. > /home/puser1/.k5login(empty file should deny access for puser1) 4. restorecon /home/puser1/.k5login 5. login as puser1 # ssh -l puser1 localhost puser1@localhost's password: Last login: Tue Jun 14 12:02:05 2011 from localhost.localdomain -sh-3.2$ Actual results: Login does not fail. SELinux alert appears as shown above. Expected results: SELinux alert should not appear and puser1 should not be able to login. Additional Info: puser1 is unable to login after setting selinux to permissive mode.
We have this in RHEL6.
Fixed in selinux-policy-2.4.6-312.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html