Description of problem: SELinux is preventing krb5_child (sssd_t) "write" to ./coolkey (auth_cache_t) Version-Release number of selected component (if applicable): selinux-policy-2.4.6-326.el5 How reproducible: Always Steps to Reproduce: 1. Configure sssd to perform auth against AD with the following config: [domain/AD] cache_credentials = True ldap_schema = rfc2307bis ldap_group_object_class = group ldap_id_use_start_tls = True debug_level = 9 ldap_force_upper_case_realm = True ldap_user_principal = userPrincipalName ldap_user_object_class = person ldap_tls_cacert = /etc/openldap/cacerts/AD_cert.pem ldap_search_base = dc=sssdad,dc=com id_provider = ldap ldap_default_bind_dn = cn=Administrator,cn=Users,dc=sssdad,dc=com ldap_uri = _srv_ ldap_user_home_directory = unixHomeDirectory ldap_default_authtok = XXXXXX dns_discovery_domain = sssdad.com auth_provider = krb5 krb5_realm = SSSDAD.COM krb5_server = _srv_ ldap_group_nesting_level = 10 Actual results: Auth works fine, but following avc appears. Detailed Description: SELinux denied access requested by krb5_child. It is not expected that this access is required by krb5_child and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./coolkey, restorecon -v './coolkey' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:system_r:sssd_t Target Context system_u:object_r:auth_cache_t Target Objects ./coolkey [ dir ] Source krb5_child Source Path /usr/libexec/sssd/krb5_child Port <Unknown> Host dhcp201-204.englab.pnq.redhat.com Source RPM Packages sssd-1.5.1-49.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-326.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name dhcp201-204.englab.pnq.redhat.com Platform Linux dhcp201-204.englab.pnq.redhat.com 2.6.18-305.el5 #1 SMP Mon Jan 16 17:42:10 EST 2012 x86_64 x86_64 Alert Count 16 First Seen Mon Jan 9 14:14:24 2012 Last Seen Wed Jan 25 15:24:39 2012 Local ID 19103597-87d5-40c4-bd61-7725d3345e8f Line Numbers Raw Audit Messages host=dhcp201-204.englab.pnq.redhat.com type=AVC msg=audit(1327485279.113:727): avc: denied { write } for pid=15909 comm="krb5_child" name="coolkey" dev=dm-0 ino=964329 scontext=root:system_r:sssd_t:s0 tcontext=system_u:object_r:auth_cache_t:s0 tclass=dir host=dhcp201-204.englab.pnq.redhat.com type=SYSCALL msg=audit(1327485279.113:727): arch=c000003e syscall=2 success=no exit=-13 a0=4051a60 a1=4c2 a2=180 a3=0 items=0 ppid=15853 pid=15909 auid=0 uid=11001 gid=11001 euid=11001 suid=11001 fsuid=11001 egid=11001 sgid=11001 fsgid=11001 tty=(none) ses=77 comm="krb5_child" exe="/usr/libexec/sssd/krb5_child" subj=root:system_r:sssd_t:s0 key=(null) Expected results: Additional info:
Comment from Nalin in the email thread regarding this issue: The Kerberos library can load the pkinit module, which on RHEL 5 uses NSS, which can be configured to use the coolkey module. Expect this to happen if a KDC which the client (on RHEL 5 or 6) contacts advertises that it supports PKINIT. This should probably be allowed, which suggest to me that there's a bug in the SELinux policy for not allowing it.
# tail -f /var/log/audit/audit.log | grep -i avc type=USER_AVC msg=audit(1327677521.478:74): user pid=3871 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received setenforce notice (enforcing=0) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' type=AVC msg=audit(1327677538.277:79): avc: denied { write } for pid=11135 comm="krb5_child" name="coolkey" dev=dm-0 ino=3011777 scontext=root:system_r:sssd_t:s0 tcontext=system_u:object_r:auth_cache_t:s0 tclass=dir type=AVC msg=audit(1327677538.277:79): avc: denied { add_name } for pid=11135 comm="krb5_child" name=636F6F6C6B6579706B313173452D47617465203020302D3131303031 scontext=root:system_r:sssd_t:s0 tcontext=system_u:object_r:auth_cache_t:s0 tclass=dir type=AVC msg=audit(1327677538.277:79): avc: denied { create } for pid=11135 comm="krb5_child" name=636F6F6C6B6579706B313173452D47617465203020302D3131303031 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:auth_cache_t:s0 tclass=file type=AVC msg=audit(1327677538.278:80): avc: denied { read write } for pid=11135 comm="krb5_child" path=2F7661722F63616368652F636F6F6C6B65792F636F6F6C6B6579706B313173452D47617465203020302D3131303031 dev=dm-0 ino=3012029 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:auth_cache_t:s0 tclass=file
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0060.html