889251 – SELinux is preventing /usr/libexec/sssd/krb5_child from name_connect access on the tcp_socket

Bug 889251 - SELinux is preventing /usr/libexec/sssd/krb5_child from name_connect access on the tcp_socket

Summary: SELinux is preventing /usr/libexec/sssd/krb5_child from name_connect access o...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.4
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	959217
TreeView+	depends on / blocked

Reported:	2012-12-20 15:45 UTC by Kaushik Banerjee
Modified:	2013-05-03 11:17 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.7.19-190.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	959217 (view as bug list)
Environment:
Last Closed:	2013-02-21 08:33:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:0314	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2013-02-20 20:35:01 UTC

Description Kaushik Banerjee 2012-12-20 15:45:21 UTC

Description of problem:
SELinux is preventing /usr/libexec/sssd/krb5_child from name_connect access on the tcp_socket

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-185.el6

How reproducible:
Always

Steps to Reproduce:
1. Setup sssd for krb5_kpasswd failover. Snippet of domain section as follows:
[domain/LDAP-KRB5]
debug_level = 0xFFF0
id_provider = ldap
ldap_uri = ldap://ldapserver.example.com
ldap_search_base = dc=example,dc=com
auth_provider = krb5
krb5_server = kdc1.example.com
krb5_kpasswd = invalidkdc.example.com,kdc1.example.com

2. Try to auth as a user and change password
# ssh -l puser1 localhost
puser1@localhost's password: 
Last login: Thu Dec 20 21:06:26 2012 from localhost
-sh-4.1$ passwd
Changing password for user puser1.
Current Password: 
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
-sh-4.1$ 

  
Actual results:
Password change works. However, an avc appears:
type=AVC msg=audit(1355985410.909:543): avc:  denied  { name_connect } for  pid=15551 comm="krb5_child" dest=464 scontext=unconfined_u:system_r:sssd_t:s0 tcontext=system_u:object_r:kerberos_password_port_t:s0 tclass=tcp_socket

Expected results:
avc shouldn't appear.

Additional info:

Comment 1 Miroslav Grepl 2012-12-20 21:37:47 UTC

Backporting from Fedora.

Comment 4 errata-xmlrpc 2013-02-21 08:33:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html

Note You need to log in before you can comment on or make changes to this bug.