Description of problem: AVC denials seen for sssd reading/writing krb5.conf. Troubleshooting this, I found that the root cause was that ipa-client-install isn't specifically restoring the selinux if it creates /etc/krb5.conf from scratch. Version-Release number of selected component (if applicable): ipa-client-2.1.3-4.el5 How reproducible: always Steps to Reproduce: 1. <setup IPA server> 2. yum -y install ipa-client 3. rm /etc/krb5.conf 4. ipa-client-install -s --domain=$DOMAIN --realm=$RELM -p $ADMINID -w $ADMINPW -U --server=$MASTER 5. ausearch -m avc 6. ls -lZ /etc/krb5.conf Actual results: 5. Will see AVC denials for krb5.conf: time->Wed Aug 22 22:02:15 2012 type=SYSCALL msg=audit(1345687335.209:160): arch=c000003e syscall=21 success=no exit=-13 a0=12a59bc0 a1=2 a2=2b4e67b81ba0 a3=0 items=0 ppid=26625 pid=26628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=root:system_r:sssd_t:s0 key=(null) type=AVC msg=audit(1345687335.209:160): avc: denied { write } for pid=26628 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=4949267 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file ---- time->Wed Aug 22 22:02:15 2012 type=SYSCALL msg=audit(1345687335.804:161): arch=c000003e syscall=21 success=no exit=-13 a0=1c60c3f0 a1=2 a2=0 a3=0 items=0 ppid=26628 pid=26640 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ldap_child" exe="/usr/libexec/sssd/ldap_child" subj=root:system_r:sssd_t:s0 key=(null) type=AVC msg=audit(1345687335.804:161): avc: denied { write } for pid=26640 comm="ldap_child" name="krb5.conf" dev=dm-0 ino=4949267 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file ---- time->Wed Aug 22 22:02:15 2012 type=SYSCALL msg=audit(1345687335.841:162): arch=c000003e syscall=21 success=no exit=-13 a0=136753d0 a1=2 a2=2b4e67b81ba0 a3=65726373662f7274 items=0 ppid=26625 pid=26628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=root:system_r:sssd_t:s0 key=(null) type=AVC msg=audit(1345687335.841:162): avc: denied { write } for pid=26628 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=4949267 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file ---- time->Wed Aug 22 22:02:15 2012 type=SYSCALL msg=audit(1345687335.842:163): arch=c000003e syscall=21 success=no exit=-13 a0=136753b0 a1=2 a2=2b4e67b81ba0 a3=65726373662f7274 items=0 ppid=26625 pid=26628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=root:system_r:sssd_t:s0 key=(null) type=AVC msg=audit(1345687335.842:163): avc: denied { write } for pid=26628 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=4949267 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file 6. Will see etc_t instead of proper krb_conf_t for krb5.conf: -rw-r--r-- root root root:object_r:etc_t /etc/krb5.conf Expected results: creates /etc/krb5.conf with expected context: [root@vm6 ipa-nis-integration]# restorecon /etc/krb5.conf [root@vm6 ipa-nis-integration]# ls -lZ /etc/krb5.conf -rw-r--r-- root root system_u:object_r:krb5_conf_t /etc/krb5.conf Additional info:
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3044
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux.
Closing upstream ticket, this is not a problem in upstream FreeIPA.
I am closing the ticket, it is a known issue of RHEL-5.x and was documented as such.