Description of problem: selinux prevents the access of the rhevm-guest-agent-gdm-plugin to connect to the SO_PASSCRED unix domain socket ('\x00/tmp/ovirt-cred-channel'). The unix domain socket is created by the service: ovirt-guest-agent from the package: rhevm-guest-agent Audit log entry: type=AVC msg=audit(1355047156.839:26940): avc: denied { connectto } for pid=11187 comm="gdm-session-wor" path=002F746D702F6F766972742D637265642D6368616E6E656C scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket Version-Release number of selected component (if applicable): rhevm-guest-agent-1.0.5-7 How reproducible: Always reproducible with selinux-policy-3.7.19-155 Steps to Reproduce: 1. Setup a RHEV-M Environment 2. Create a RHEL6.3 Desktop VM with rhevm-guest-agent-gdm-plugin installed 3. Join the computer to the domain 4. Single sign on from the user portal will not complete. Actual results: Single Sign on is not working because the access to the credential socket is blocked. Expected results: Access to the socket is not blocked. Additional info: Temporary workaround for affected users: # grep 002F746D702F6F766972742D637265642D6368616E6E656C /var/log/audit/audit.log | audit2allow -M ovirt-guest-agent # semodule -i ovirt-guest-agent.pp
Please note that the package rhevm-guest-agent was previously known as rhev-agent. The package rhevm-guest-agent-gdm-plugin was previously known as rhev-agent-gdm-plugin-rhevcred. Correction: The problem occurs within the SSO PAM module - rhevm-guest-agent-pam-module (Previously known as rhev-agent-pam-rhev-cred)
Additional note: The rhevm-guest-agent-kdm-plugin package is also affected by this. The workaround mentioned in comment#0 works for it as well.
The problem is the ovirt-guest-agent service has not a policy. What does # ps -efZ |grep initrc
system_u:system_r:initrc_t:s0 175 1747 1 0 09:08 ? 00:00:00 /usr/bin/python /usr/share/ovirt-guest-agent/ovirt-guest-agent.py -p /var/run/ovirt-guest-agent.pid -d system_u:system_r:initrc_t:s0 root 1790 1 0 09:08 ? 00:00:00 rhnsd unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1998 1934 0 09:10 tty1 00:00:00 grep initrc
OK, we need to backport changes from Fedora.
You can test it for now using # chcon -t rhev_agentd_exec_t /usr/share/ovirt-guest-agent/ovirt-guest-agent.py Also please updat to the latest policy build. rhnsd deamon should be confined.
Fixed in selinux-policy-3.7.19-186.el6
Little issue with guest agent pid file (selinux type), will check when BZ882239 is solved.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html