-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/25/2013 11:15 AM, Jakub Hrozek wrote: > On Mon, Feb 25, 2013 at 11:06:09AM +0000, Dale Macartney wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> On 02/25/2013 10:58 AM, Jakub Hrozek wrote: >>> On Mon, Feb 25, 2013 at 10:30:44AM +0000, Dale Macartney wrote: >>>>>> What state is your SELinux in? Permissive/Enforcing/Disabled ? >>>> Another fail on my part. Works fine in permissive mode. >>>> >>> >>> No, the SSSD should be working out of the box with SELinux Enforcing. >>> >>>> AVC denials listed below.. >>>> >>>> type=AVC msg=audit(1361788146.020:28315): avc: denied { read } for >>>> pid=2271 comm="sshd" name="passwd" dev=dm-0 ino=914246 >>>> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 >>>> tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file >>>> type=AVC msg=audit(1361788146.020:28315): avc: denied { open } for >>>> pid=2271 comm="sshd" name="passwd" dev=dm-0 ino=914246 >>>> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 >>>> tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file >>>> type=AVC msg=audit(1361788146.020:28316): avc: denied { getattr } for >>>> pid=2271 comm="sshd" path="/var/lib/sss/mc/passwd" dev=dm-0 ino=914246 >>>> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 >>> >>> ^ This is SElinux denying access to the fast in-memory cache. >>> >>>> tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file >>>> type=AVC msg=audit(1361788155.330:28318): avc: denied { read } for >>>> pid=2275 comm="krb5_child" name="config" dev=dm-0 ino=392854 >>>> scontext=system_u:system_r:sssd_t:s0 >>>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file >>>> type=AVC msg=audit(1361788155.330:28318): avc: denied { open } for >>>> pid=2275 comm="krb5_child" name="config" dev=dm-0 ino=392854 >>>> scontext=system_u:system_r:sssd_t:s0 >>>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file >>>> type=AVC msg=audit(1361788155.330:28319): avc: denied { getattr } for >>>> pid=2275 comm="krb5_child" path="/etc/selinux/config" dev=dm-0 >>>> ino=392854 scontext=system_u:system_r:sssd_t:s0 >>> >>> Interesting, I'm not aware of any code in the krb5 child process that >>> would do anything selinux-related. I wonder if libkrb5 might be the >>> culprit..rpm says it *is* linked against libselinux as well. >>> >>>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file >>>> type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for >>>> pid=1380 comm="sssd_pam" name="logins" dev=dm-0 ino=392943 >>>> scontext=system_u:system_r:sssd_t:s0 >>>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir >>>> type=AVC msg=audit(1361788156.367:28321): avc: denied { add_name } >>>> for pid=1380 comm="sssd_pam" name="adminoTfIUQ" >>>> scontext=system_u:system_r:sssd_t:s0 >>>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir >>>> type=AVC msg=audit(1361788156.367:28321): avc: denied { create } for >>>> pid=1380 comm="sssd_pam" name="adminoTfIUQ" >>>> scontext=system_u:system_r:sssd_t:s0 >>>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file >>>> type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for >>>> pid=1380 comm="sssd_pam" name="adminoTfIUQ" dev=dm-0 ino=393233 >>>> scontext=system_u:system_r:sssd_t:s0 >>>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file >>>> type=AVC msg=audit(1361788156.367:28322): avc: denied { remove_name } >>>> for pid=1380 comm="sssd_pam" name="adminoTfIUQ" dev=dm-0 ino=393233 >>>> scontext=system_u:system_r:sssd_t:s0 >>>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir >>>> type=AVC msg=audit(1361788156.367:28322): avc: denied { rename } for >>>> pid=1380 comm="sssd_pam" name="adminoTfIUQ" dev=dm-0 ino=393233 >>>> scontext=system_u:system_r:sssd_t:s0 >>>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file >>>> type=AVC msg=audit(1361788156.367:28322): avc: denied { unlink } for >>>> pid=1380 comm="sssd_pam" name="admin" dev=dm-0 ino=392951 >>>> scontext=system_u:system_r:sssd_t:s0 >>>> tcontext=system_u:object_r:selinux_config_t:s0 tclass=file >>> >>> This is SSSD trying to write the user login mapping. >>> >>> What version is your selinux-policy? >>> >>> Was your system properly labeled? >>> >>> Does restorecon -Rvv /etc/selinux help? >> Interesting, after using restorecon, yes it now allows a successful >> login. I am curious how the contexts would have become incorrectly set >> as the machine was provisioned with a rather trivial kickstart. >> >> output of restorecon is below. >> >> [root@workstation01 ~]# restorecon -Rvv /etc/selinux/ >> restorecon reset /etc/selinux/targeted/logins context >> system_u:object_r:selinux_config_t:s0->system_u:object_r:selinux_login_config_t:s0 >> restorecon reset /etc/selinux/targeted/logins/admin context >> system_u:object_r:selinux_config_t:s0->system_u:object_r:selinux_login_config_t:s0 >> [root@workstation01 ~]# >> >> selinux policy version 3.7.19-195.el6_4.1 > > I'm not sure, was the system installed with that version or upgraded to > it? All repositories are available during install, so no need for upgrade post install. IPA client install runs as part of %post. > > > I would also suggest to restorecon /var/lib/sss/mc/passwd to get rid of > the memory cache denials. That should also allow faster initgroups (and > by extension logins) operation. Good to know, presumably this will be patched in an upcoming package release as well. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRK0mJAAoJEAJsWS61tB+qpIMQAIXszRj6qvRaROuJYf0R4q/i ia3UYbIZvnnLjRXsNhP1DGwNOzZjLzShDo0iqfoREK6NQIyIJYWFE9oHJc8e/QkH H1m04VfBLDbTlYpyyqrcnUw1pqakdXY1pIDlXSQ5KSZoepqY2ql2NbLhl3LvMWdX s66bVFe0Yy6vqfDToS3M/S71Jv2jY4XPzNuVrw9kFe1yCwuzD4Rs8LQgwjj7sM1G KGmpfry0em3eJ+FYh8udfJrqaW5hmB8xHKRTtLRA3D+ztNtYeLicyJKmQHtPkr6f SbkRcRiTI6elGCxfrlMW0jKuc0vauvgJlVqr5MmsIG28fVj1HUf4z6/Luc07elaR ZmNf0IHS1asApuk3qbCWmmOJ/7+Rgkfwx/2yx808bGZLoxuvqP63eMjRWNk68fgp aFkQNXaNQS7DQsqaMg5GnfwJHnZ8uO5JX7rEOV55kZobWgJhPdDrDW/XYhnqWOa6 0sXU3JchZ0JELFIPBLqWZRk/rh3g5r17UUdhDStmdI6OSiPflLbBViyc+xcyqHau jS5ryXmur51WzkBjVyF5v8luIWnI8j+shiUFboPKGbN6uD1Emv3aOzFpJ8FQpG/q gpU2QUKnKBxJzk1CzlZWoNU7LBVRsNFUu4gBlGnZ3snQbRRXuf+YmxD1/34QsHag l5MqqjYW8SB1xVeZTO6t =qz0W -----END PGP SIGNATURE----- _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users