Hide Forgot
Description of problem: SELinux is preventing /usr/libexec/sssd/krb5_child from name_connect access on the tcp_socket Version-Release number of selected component (if applicable): selinux-policy-3.7.19-185.el6 How reproducible: Always Steps to Reproduce: 1. Setup sssd for krb5_kpasswd failover. Snippet of domain section as follows: [domain/LDAP-KRB5] debug_level = 0xFFF0 id_provider = ldap ldap_uri = ldap://ldapserver.example.com ldap_search_base = dc=example,dc=com auth_provider = krb5 krb5_server = kdc1.example.com krb5_kpasswd = invalidkdc.example.com,kdc1.example.com 2. Try to auth as a user and change password # ssh -l puser1 localhost puser1@localhost's password: Last login: Thu Dec 20 21:06:26 2012 from localhost -sh-4.1$ passwd Changing password for user puser1. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. -sh-4.1$ Actual results: Password change works. However, an avc appears: type=AVC msg=audit(1355985410.909:543): avc: denied { name_connect } for pid=15551 comm="krb5_child" dest=464 scontext=unconfined_u:system_r:sssd_t:s0 tcontext=system_u:object_r:kerberos_password_port_t:s0 tclass=tcp_socket Expected results: avc shouldn't appear. Additional info:
Backporting from Fedora.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html