Description of problem: realm join --membership-software=samba --user-principal=host/Test.QE security.baseos.qe SELinux is preventing /usr/bin/net from 'write' accesses on the file realm-ad-kerberos-JEJAXW. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that net should be allowed write access on the realm-ad-kerberos-JEJAXW file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep net /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:samba_net_t:s0-s0:c0.c1023 Target Context system_u:object_r:realmd_var_cache_t:s0 Target Objects realm-ad-kerberos-JEJAXW [ file ] Source net Source Path /usr/bin/net Port <Unknown> Host (removed) Source RPM Packages samba-common-4.0.5-1.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-42.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.9.0-301.fc19.x86_64 #1 SMP Mon Apr 29 13:44:05 UTC 2013 x86_64 x86_64 Alert Count 6 First Seen 2013-05-09 10:34:36 EDT Last Seen 2013-05-13 07:23:28 EDT Local ID a565bdbe-433e-4375-bd79-639e2187bb6b Raw Audit Messages type=AVC msg=audit(1368444208.774:495): avc: denied { write } for pid=4401 comm="net" name="realm-ad-kerberos-JEJAXW" dev="dm-1" ino=32595 scontext=system_u:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:realmd_var_cache_t:s0 tclass=file type=SYSCALL msg=audit(1368444208.774:495): arch=x86_64 syscall=open success=no exit=EACCES a0=2362a40 a1=2 a2=180 a3=10 items=0 ppid=3184 pid=4401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=net exe=/usr/bin/net subj=system_u:system_r:samba_net_t:s0-s0:c0.c1023 key=(null) Hash: net,samba_net_t,realmd_var_cache_t,file,write audit2allow #============= samba_net_t ============== allow samba_net_t realmd_var_cache_t:file write; audit2allow -R require { type samba_net_t; type realmd_var_cache_t; class file write; } #============= samba_net_t ============== allow samba_net_t realmd_var_cache_t:file write; Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.0-301.fc19.x86_64 type: libreport
Description of problem: realm join --membership-software=samba --user-principal=host/Test.COM security.baseos.qe Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.0-301.fc19.x86_64 type: libreport
Fixed in selinux-policy-3.12.1-44.fc19.noarch
David, this is interesting. Could you post the 'realm --verbose' output for the command that caused this? Or perhaps it's in your logs?
[root@dspurek ~]# realm join --verbose --membership-software=samba --user-principal=host/Test.QE security.baseos.qe * Resolving: _ldap._tcp.dc._msdcs.security.baseos.qe * Sending MS-CLDAP ping to: 10.34.36.170 * Successfully discovered: security.baseos.qe * Required files: /usr/sbin/sss_cache, /usr/sbin/sssd, /usr/bin/net * LANG=C LOGNAME=root KRB5CCNAME=/var/cache/realmd/realm-ad-kerberos-9WF1WW /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.6BJ1WW -k ads join security.baseos.qe createupn=host/Test.QE Failed to join domain: Failed to set account flags for machine account (NT_STATUS_ACCESS_DENIED) ! Insufficient permissions to join the domain security.baseos.qe Password for Administrator: * Required files: /usr/sbin/sss_cache, /usr/sbin/sssd, /usr/bin/net * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.OWYJXW -U Administrator ads join security.baseos.qe createupn=host/Test.QE Enter Administrator's password: DNS update failed: NT_STATUS_INVALID_PARAMETER Using short domain name -- SECURITY Joined 'DSPUREK' to dns domain 'security.baseos.qe' No DNS domain configured for dspurek. Unable to perform DNS Update. * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.OWYJXW -U Administrator ads keytab create Enter Administrator's password: * /usr/bin/systemctl enable sssd.service ln -s '/usr/lib/systemd/system/sssd.service' '/etc/systemd/system/multi-user.target.wants/sssd.service' * /usr/bin/systemctl restart sssd.service * /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart * Successfully enrolled machine in realm
Stef, I had a problem to reproduce this avc again. I think that I found the case related to this issue. It is important to run join with '--user-principal= ' [root@dspurek ~]# realm join --user=Administrator --user-principal= security.baseos.qe Password for Administrator: [root@dspurek ~]# realm leave security.baseos.qe And after that run 'realm join --verbose --membership-software=samba --user-principal=host/Test.QE security.baseos.qe'
I don't see this issue with selinux-policy-3.12.1-44.fc19.noarch