Bug 889251 - SELinux is preventing /usr/libexec/sssd/krb5_child from name_connect access on the tcp_socket
Summary: SELinux is preventing /usr/libexec/sssd/krb5_child from name_connect access o...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.4
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 959217
TreeView+ depends on / blocked
 
Reported: 2012-12-20 15:45 UTC by Kaushik Banerjee
Modified: 2013-05-03 11:17 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.7.19-190.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 959217 (view as bug list)
Environment:
Last Closed: 2013-02-21 08:33:34 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0314 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-02-20 20:35:01 UTC

Description Kaushik Banerjee 2012-12-20 15:45:21 UTC
Description of problem:
SELinux is preventing /usr/libexec/sssd/krb5_child from name_connect access on the tcp_socket

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-185.el6

How reproducible:
Always

Steps to Reproduce:
1. Setup sssd for krb5_kpasswd failover. Snippet of domain section as follows:
[domain/LDAP-KRB5]
debug_level = 0xFFF0
id_provider = ldap
ldap_uri = ldap://ldapserver.example.com
ldap_search_base = dc=example,dc=com
auth_provider = krb5
krb5_server = kdc1.example.com
krb5_kpasswd = invalidkdc.example.com,kdc1.example.com

2. Try to auth as a user and change password
# ssh -l puser1 localhost
puser1@localhost's password: 
Last login: Thu Dec 20 21:06:26 2012 from localhost
-sh-4.1$ passwd
Changing password for user puser1.
Current Password: 
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
-sh-4.1$ 

  
Actual results:
Password change works. However, an avc appears:
type=AVC msg=audit(1355985410.909:543): avc:  denied  { name_connect } for  pid=15551 comm="krb5_child" dest=464 scontext=unconfined_u:system_r:sssd_t:s0 tcontext=system_u:object_r:kerberos_password_port_t:s0 tclass=tcp_socket

Expected results:
avc shouldn't appear.

Additional info:

Comment 1 Miroslav Grepl 2012-12-20 21:37:47 UTC
Backporting from Fedora.

Comment 4 errata-xmlrpc 2013-02-21 08:33:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html


Note You need to log in before you can comment on or make changes to this bug.