Description of problem: Version-Release number of selected component (if applicable): sssd-1.7.0-0.20111219T1638Zgitbdd2050.fc15.x86_64 How reproducible: Always Steps to Reproduce: 1. Update Fedora 15 with the latest SSSD bits from http://jdennis.fedorapeople.org/ipa-devel/fedora/$releasever/$basearch/os/ 2. ipa-client-install 3. Observe /var/log/messages Actual results: Dec 20 20:13:50 dhcp201-106 setroubleshoot: SELinux is preventing /usr/sbin/sssd from using the sys_admin capability. For complete SELinux messages. run sealert -l 650ca357-5e3a-455b-b028-4d0afaa8e5d0 Expected results: No SELinux denials and SSSD should be started successfully. Additional info: SELinux is preventing /usr/sbin/sssd from using the sys_admin capability. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that sssd should have the sys_admin capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sssd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
SSSD grew a dependency on the sys_admin capability because it is now using keyctl_join_session_keyring() and keyctl_setperm() to connect to the kernel keyring and store passwords securely while the SSSD is running (such as for deferred kinit operation). We need this new requirement added to SSSD in the selinux policy.
So this is valid for F15+.
(In reply to comment #2) > So this is valid for F15+. Yes, please.
Is this the same error? Reads like it but I didn't get an setroubleshoot entry in /var/log/messages. # /usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 12/22/2011 19:00 ...snip.... type=AVC msg=audit(1324604821.705:299): avc: denied { sys_admin } for pid=11976 comm="sssd" capability=21 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=capability ...snip... versions in question on my test system were: sssd-1.8.0-0.20111222T1839Zgitb355dcb.fc16.x86_64 selinux-policy-3.10.0-67.fc16.noarch And, sssd does appear to be running: systemctl status sssd.service sssd.service - LSB: System Security Services Daemon Loaded: loaded (/etc/rc.d/init.d/sssd) Active: active (running) since Thu, 22 Dec 2011 20:47:02 -0500; 27min ago CGroup: name=systemd:/system/sssd.service ├ 11977 /usr/sbin/sssd -f -D ├ 11989 /usr/libexec/sssd/sssd_be --domain testrelm --debu... ├ 11990 /usr/libexec/sssd/sssd_nss --debug-to-files └ 11991 /usr/libexec/sssd/sssd_pam --debug-to-files Just checking that I am actually seeing the same issue before opening another BZ. Thanks, Scott
Pleas, try it with the latest policy from koji http://koji.fedoraproject.org/koji/buildinfo?buildID=279701
I do believe that fixed what I was seeing at least: # /usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 01/03/2012 15:00:00|grep sss ...no output... However, I should note (just in case) that I had to set NSS_SSL_CBC_RANDOM_IV=0 in /etc/profile first to work this issue: https://bugzilla.redhat.com/show_bug.cgi?id=771357 Thanks, Scott
# sesearch -A -s sssd_t -t sssd_t -c capability -p sys_admin Found 1 semantic av rules: allow sssd_t sssd_t : capability { chown dac_override dac_read_search kill setgid setuid net_admin sys_admin sys_nice audit_write } ; which tells us that the capability has been added.