Bug 820759
| Summary: | AVC denial seen on sssd upgrade during ipa-client upgrade | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Scott Poore <spoore> |
| Component: | sssd | Assignee: | Stephen Gallagher <sgallagh> |
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.3 | CC: | grajaiya, jgalipea, jhrozek, kbanerje, prc, syeghiay |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.8.0-27.el6 | Doc Type: | Bug Fix |
| Doc Text: |
No documentation required
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 11:57:03 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Conflicts with the old version is what's usually done in such situations. There's a known issue here that we're unable to solve. See https://bugzilla.redhat.com/show_bug.cgi?id=760793 *** This bug has been marked as a duplicate of bug 760793 *** Sorry, this is not actually a dupe. I thought the AVC was occurring during the upgrade process itself, which would be BZ #760793, but in reality we're not requiring the right SELinux version. We probably SHOULD have a 'Conflicts: selinux-policy < <version>' here, although it is non-fatal. We still may see this error during the actual upgrade process because of BZ #760793, but subsequent SSSD restarts will not experience it. Basically, this AVC was SSSD asking for slightly higher permissions so it could set the kernel keyring into a more high-security mode. If we hit this AVC, we just acknowledge it and continue in the lower-security mode that we had in RHEL 6.2.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
For optimum behavior, the 'selinux-policy' package should also be updated alongside the 'sssd' package. Without it, the user will experience a non-fatal AVC when starting up SSSD with the 'krb5_store_password_if_offline=True' option enabled. This is because SSSD is attempting to request permissions allowing it to make the temporary password storage slightly more secure. If we get the AVC, we will just continue to operate in the same way that we did in RHEL 6.2.
Deleted Technical Notes Contents. Old Contents: For optimum behavior, the 'selinux-policy' package should also be updated alongside the 'sssd' package. Without it, the user will experience a non-fatal AVC when starting up SSSD with the 'krb5_store_password_if_offline=True' option enabled. This is because SSSD is attempting to request permissions allowing it to make the temporary password storage slightly more secure. If we get the AVC, we will just continue to operate in the same way that we did in RHEL 6.2. Verified. Version :: sssd-1.8.0-28.el6.x86_64 Manual Test Results :: [root@spoore-dvm3 tmp.vnbhYB8j9y]# date; yum -y update sssd Wed May 23 09:41:06 CDT 2012 Loaded plugins: product-id, security, subscription-manager Updating certificate-based repositories. Setting up Update Process Resolving Dependencies --> Running transaction check ---> Package sssd.x86_64 0:1.5.1-66.el6 will be updated ---> Package sssd.x86_64 0:1.8.0-28.el6 will be an update --> Processing Dependency: sssd-client(x86-64) = 1.8.0-28.el6 for package: sssd-1.8.0-28.el6.x86_64 --> Processing Dependency: libipa_hbac(x86-64) = 1.8.0-28.el6 for package: sssd-1.8.0-28.el6.x86_64 --> Running transaction check ---> Package libipa_hbac.x86_64 0:1.5.1-66.el6 will be updated --> Processing Dependency: libipa_hbac = 1.5.1-66.el6 for package: libipa_hbac-python-1.5.1-66.el6.x86_64 ---> Package libipa_hbac.x86_64 0:1.8.0-28.el6 will be an update ---> Package sssd-client.x86_64 0:1.5.1-66.el6 will be updated ---> Package sssd-client.x86_64 0:1.8.0-28.el6 will be an update --> Running transaction check ---> Package libipa_hbac-python.x86_64 0:1.5.1-66.el6 will be updated ---> Package libipa_hbac-python.x86_64 0:1.8.0-28.el6 will be an update --> Processing Conflict: sssd-1.8.0-28.el6.x86_64 conflicts selinux-policy < 3.7.19-150 --> Restarting Dependency Resolution with new changes. --> Running transaction check ---> Package selinux-policy.noarch 0:3.7.19-126.el6 will be updated --> Processing Dependency: selinux-policy = 3.7.19-126.el6 for package: selinux-policy-targeted-3.7.19-126.el6.noarch --> Processing Dependency: selinux-policy = 3.7.19-126.el6 for package: selinux-policy-targeted-3.7.19-126.el6.noarch ---> Package selinux-policy.noarch 0:3.7.19-153.el6 will be an update --> Running transaction check ---> Package selinux-policy-targeted.noarch 0:3.7.19-126.el6 will be updated ---> Package selinux-policy-targeted.noarch 0:3.7.19-153.el6 will be an update --> Finished Dependency Resolution Dependencies Resolved ===================================================================================================================== Package Arch Version Repository Size ===================================================================================================================== Updating: selinux-policy noarch 3.7.19-153.el6 rhel63-server 1.3 M sssd x86_64 1.8.0-28.el6 rhel63-server 2.2 M Updating for dependencies: libipa_hbac x86_64 1.8.0-28.el6 rhel63-server 62 k libipa_hbac-python x86_64 1.8.0-28.el6 rhel63-server 57 k selinux-policy-targeted noarch 3.7.19-153.el6 rhel63-server 2.6 M sssd-client x86_64 1.8.0-28.el6 rhel63-server 90 k Transaction Summary ===================================================================================================================== Upgrade 6 Package(s) Total download size: 6.2 M Downloading Packages: (1/6): libipa_hbac-1.8.0-28.el6.x86_64.rpm | 62 kB 00:00 (2/6): libipa_hbac-python-1.8.0-28.el6.x86_64.rpm | 57 kB 00:00 (3/6): selinux-policy-3.7.19-153.el6.noarch.rpm | 1.3 MB 00:00 (4/6): selinux-policy-targeted-3.7.19-153.el6.noarch.rpm | 2.6 MB 00:01 (5/6): sssd-1.8.0-28.el6.x86_64.rpm | 2.2 MB 00:01 (6/6): sssd-client-1.8.0-28.el6.x86_64.rpm | 90 kB 00:00 --------------------------------------------------------------------------------------------------------------------- Total 1.3 MB/s | 6.2 MB 00:04 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Updating : libipa_hbac-1.8.0-28.el6.x86_64 1/12 Updating : sssd-client-1.8.0-28.el6.x86_64 2/12 Updating : selinux-policy-3.7.19-153.el6.noarch 3/12 Updating : selinux-policy-targeted-3.7.19-153.el6.noarch 4/12 Updating : sssd-1.8.0-28.el6.x86_64 5/12 Updating : libipa_hbac-python-1.8.0-28.el6.x86_64 6/12 Cleanup : selinux-policy-targeted-3.7.19-126.el6.noarch 7/12 Cleanup : sssd-1.5.1-66.el6.x86_64 8/12 Cleanup : libipa_hbac-python-1.5.1-66.el6.x86_64 9/12 Cleanup : selinux-policy-3.7.19-126.el6.noarch 10/12 Cleanup : libipa_hbac-1.5.1-66.el6.x86_64 11/12 Cleanup : sssd-client-1.5.1-66.el6.x86_64 12/12 rhel63-server/productid | 1.7 kB 00:00 Installed products updated. Updated: selinux-policy.noarch 0:3.7.19-153.el6 sssd.x86_64 0:1.8.0-28.el6 Dependency Updated: libipa_hbac.x86_64 0:1.8.0-28.el6 libipa_hbac-python.x86_64 0:1.8.0-28.el6 selinux-policy-targeted.noarch 0:3.7.19-153.el6 sssd-client.x86_64 0:1.8.0-28.el6 Complete! [root@spoore-dvm3 tmp.vnbhYB8j9y]# ausearch -m avc -ts 09:41:06 <no matches> [root@spoore-dvm3 tmp.vnbhYB8j9y]# ausearch -m avc <no matches> [root@spoore-dvm3 tmp.vnbhYB8j9y]# service sssd condrestart Stopping sssd: [ OK ] Starting sssd: [ OK ] [root@spoore-dvm3 tmp.vnbhYB8j9y]# ps -ef|grep sssd root 5604 1 0 09:44 ? 00:00:00 /usr/sbin/sssd -f -D root 5606 5604 15 09:44 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain testrelm.com --debug-to-files root 5607 5604 0 09:44 ? 00:00:00 /usr/libexec/sssd/sssd_nss --debug-to-files root 5608 5604 0 09:44 ? 00:00:00 /usr/libexec/sssd/sssd_pam --debug-to-files root 5610 1559 0 09:44 pts/0 00:00:00 grep sssd [root@spoore-dvm3 tmp.vnbhYB8j9y]# ausearch -m avc <no matches> [root@spoore-dvm3 tmp.vnbhYB8j9y]# service sssd restart Stopping sssd: [ OK ] Starting sssd: [ OK ] [root@spoore-dvm3 tmp.vnbhYB8j9y]# ausearch -m avc <no matches> [root@spoore-dvm3 tmp.vnbhYB8j9y]# service sssd stop Stopping sssd: [ OK ] [root@spoore-dvm3 tmp.vnbhYB8j9y]# service sssd start Starting sssd: [ OK ] [root@spoore-dvm3 tmp.vnbhYB8j9y]# ausearch -m avc <no matches>
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
No documentation required
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0747.html |
Description of problem: I see AVC denials when upgrading IPA client only and not full OS. A closer inspection seems to show that this is happening when upgrading sssd. After the upgrade, it appears that we see sssd avc errors for the following: service sssd start service sssd restart service sssd condrestart Version-Release number of selected component (if applicable): sssd-1.8.0-25.el6.x86_64 selinux-policy-3.7.19-126.el6.noarch selinux-policy-targeted-3.7.19-126.el6.noarch How reproducible: always Steps to Reproduce: 1. <setup IPA client on RHEL 6.2> 2. <point server to RHEL 6.3 yum repos> 3. yum -y update sssd 4. ausearch -m avc Actual results: type=SYSCALL msg=audit(1336683916.955:287): arch=c000003e syscall=250 success=yes exit=0 a0=5 a1=fffffffd a2=3f000000 a3=35600e20d9 items=0 ppid=19627 pid=19628 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=33 comm="sssd" exe="/usr/sbin/sssd" subj=unconfined_u:system_r:sssd_t:s0 key=(null) type=AVC msg=audit(1336683916.955:287): avc: denied { sys_admin } for pid=19628 comm="sssd" capability=21 scontext=unconfined_u:system_r:sssd_t:s0 tcontext=unconfined_u:system_r:sssd_t:s0 tclass=capability Expected results: no AVC denials from normal sssd upgrade and service operations. Additional info: Upgrading selinux-policy and selinux-policy-targeted seems to fix this so I'm guessing the real issue has been corrected. I'm in the process of actually confirming this now though. Would it make sense for sssd and/or ipa-client to have a Requires or Conflicts on selinux-policy with a version?