I need to set SELinux to enforcing to get the relevant SSSD logs, right ? On Thu, Sep 29, 2016 at 3:42 AM, Sumit Bose <sb...@redhat.com> wrote:
> On Thu, Sep 29, 2016 at 12:47:34AM -0400, Prasun Gera wrote: > > I started seeing some selinux errors on one of my RHEL 7 clients recently > > (possibly after a recent yum update ?), which prevents users from logging > > in with passwords. I've put SELinux in permissive mode for now. Logs > follow > > This sounds like https://bugzilla.redhat.com/show_bug.cgi?id=1301686 . > Would you mind adding your findings and the SSSD logs as described in > https://bugzilla.redhat.com/show_bug.cgi?id=1301686#c2 to the bugzilla > ticket. > > Thank you. > > bye, > Sumit > > > > > > > SELinux is preventing /usr/libexec/sssd/krb5_child from read access on > the > > key Unknown. > > > > ***** Plugin catchall (100. confidence) suggests > > ************************** > > > > If you believe that krb5_child should be allowed read access on the > Unknown > > key by default. > > Then you should report this as a bug. > > You can generate a local policy module to allow this access. > > Do > > allow this access for now by executing: > > # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol > > # semodule -i mypol.pp > > > > > > Additional Information: > > Source Context system_u:system_r:sssd_t:s0 > > Target Context system_u:system_r:unconfined_service_t:s0 > > Target Objects Unknown [ key ] > > Source krb5_child > > Source Path /usr/libexec/sssd/krb5_child > > Port <Unknown> > > Host <Unknown> > > Source RPM Packages sssd-krb5-common-1.13.0-40.el7_2.12.x86_64 > > Target RPM Packages > > Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch > > Selinux Enabled True > > Policy Type targeted > > Enforcing Mode Permissive > > Host Name example.com > > Platform Linux example.com 4.4.19-1.el7.x86_64 > > #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64 > > x86_64 > > Alert Count 38 > > First Seen 2016-09-28 18:37:43 EDT > > Last Seen 2016-09-28 22:08:41 EDT > > Local ID aa5271fa-f708-46b0-a382-fb1f90ce8973 > > Raw Audit Messages > > type=AVC msg=audit(1475114921.376:90787): avc: denied { read } for > > pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0 > > tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key > permissive=0 > > > > > > type=SYSCALL msg=audit(1475114921.376:90787): arch=x86_64 syscall=keyctl > > success=yes exit=EINTR a0=b a1=333b5463 a2=0 a3=0 items=0 ppid=891 > pid=8272 > > auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053 > > suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053 > > fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child > > exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 > key=(null) > > > > Hash: krb5_child,sssd_t,unconfined_service_t,key,read > > > > ------------------------------------------------------------ > -------------------- > > > > SELinux is preventing /usr/libexec/sssd/krb5_child from view access on > the > > key Unknown. > > > > ***** Plugin catchall (100. confidence) suggests > > ************************** > > > > If you believe that krb5_child should be allowed view access on the > Unknown > > key by default. > > Then you should report this as a bug. > > You can generate a local policy module to allow this access. > > Do > > allow this access for now by executing: > > # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol > > # semodule -i mypol.pp > > > > > > Additional Information: > > Source Context system_u:system_r:sssd_t:s0 > > Target Context system_u:system_r:unconfined_service_t:s0 > > Target Objects Unknown [ key ] > > Source krb5_child > > Source Path /usr/libexec/sssd/krb5_child > > Port <Unknown> > > Host <Unknown> > > Source RPM Packages sssd-krb5-common-1.13.0-40.el7_2.12.x86_64 > > Target RPM Packages > > Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch > > Selinux Enabled True > > Policy Type targeted > > Enforcing Mode Permissive > > Host Name example.com > > Platform Linux example.com 4.4.19-1.el7.x86_64 > > #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64 > > x86_64 > > Alert Count 10 > > First Seen 2016-09-28 18:40:00 EDT > > Last Seen 2016-09-28 22:08:41 EDT > > Local ID 22ec0970-9447-444a-9631-69749e4e7226 > > Raw Audit Messages > > type=AVC msg=audit(1475114921.376:90789): avc: denied { view } for > > pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0 > > tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key > permissive=0 > > > > > > type=SYSCALL msg=audit(1475114921.376:90789): arch=x86_64 syscall=keyctl > > success=no exit=EACCES a0=6 a1=2e1c07f1 a2=0 a3=0 items=0 ppid=891 > pid=8272 > > auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053 > > suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053 > > fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child > > exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 > key=(null) > > > > Hash: krb5_child,sssd_t,unconfined_service_t,key,view > > > > ------------------------------------------------------------ > -------------------- > > > > SELinux is preventing /usr/libexec/sssd/krb5_child from write access on > the > > key Unknown. > > > > ***** Plugin catchall (100. confidence) suggests > > ************************** > > > > If you believe that krb5_child should be allowed write access on the > > Unknown key by default. > > Then you should report this as a bug. > > You can generate a local policy module to allow this access. > > Do > > allow this access for now by executing: > > # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol > > # semodule -i mypol.pp > > > > > > Additional Information: > > Source Context system_u:system_r:sssd_t:s0 > > Target Context system_u:system_r:unconfined_service_t:s0 > > Target Objects Unknown [ key ] > > Source krb5_child > > Source Path /usr/libexec/sssd/krb5_child > > Port <Unknown> > > Host <Unknown> > > Source RPM Packages sssd-krb5-common-1.13.0-40.el7_2.12.x86_64 > > Target RPM Packages > > Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch > > Selinux Enabled True > > Policy Type targeted > > Enforcing Mode Permissive > > Host Name example.com > > Platform Linux example.com 4.4.19-1.el7.x86_64 > > #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64 > > x86_64 > > Alert Count 10 > > First Seen 2016-09-28 18:40:00 EDT > > Last Seen 2016-09-28 22:08:41 EDT > > Local ID 8982bbec-38db-485b-9266-57fdaa8a3621 > > > > Raw Audit Messages > > type=AVC msg=audit(1475114921.376:90790): avc: denied { write } for > > pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0 > > tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key > permissive=0 > > > > type=SYSCALL msg=audit(1475114921.376:90790): arch=x86_64 > syscall=add_key > > success=no exit=EACCES a0=7f6987905ffc a1=7ffeed78b1f0 a2=0 a3=0 items=0 > > ppid=891 pid=8272 auid=4294967295 uid=1388200053 gid=1388200053 > > euid=1388200053 suid=1388200053 fsuid=1388200053 egid=1388200053 > > sgid=1388200053 fsgid=1388200053 tty=(none) ses=4294967295 > comm=krb5_child > > exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 > key=(null) > > > > Hash: krb5_child,sssd_t,unconfined_service_t,key,write > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project