Re: [Freeipa-users] SELinux errors with sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
On Thu, Sep 29, 2016 at 12:07:13PM -0400, Prasun Gera wrote: > I need to set SELinux to enforcing to get the relevant SSSD logs, right ? yes, I think this would help to identify the operation which triggers the AVC because it should fail. bye, Sumit > > On Thu, Sep 29, 2016 at 3:42 AM, Sumit Bosewrote: > > > On Thu, Sep 29, 2016 at 12:47:34AM -0400, Prasun Gera wrote: > > > I started seeing some selinux errors on one of my RHEL 7 clients recently > > > (possibly after a recent yum update ?), which prevents users from logging > > > in with passwords. I've put SELinux in permissive mode for now. Logs > > follow > > > > This sounds like https://bugzilla.redhat.com/show_bug.cgi?id=1301686 . > > Would you mind adding your findings and the SSSD logs as described in > > https://bugzilla.redhat.com/show_bug.cgi?id=1301686#c2 to the bugzilla > > ticket. > > > > Thank you. > > > > bye, > > Sumit > > > > > > > > > > > SELinux is preventing /usr/libexec/sssd/krb5_child from read access on > > the > > > key Unknown. > > > > > > * Plugin catchall (100. confidence) suggests > > > ** > > > > > > If you believe that krb5_child should be allowed read access on the > > Unknown > > > key by default. > > > Then you should report this as a bug. > > > You can generate a local policy module to allow this access. > > > Do > > > allow this access for now by executing: > > > # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol > > > # semodule -i mypol.pp > > > > > > > > > Additional Information: > > > Source Contextsystem_u:system_r:sssd_t:s0 > > > Target Contextsystem_u:system_r:unconfined_service_t:s0 > > > Target ObjectsUnknown [ key ] > > > Sourcekrb5_child > > > Source Path /usr/libexec/sssd/krb5_child > > > Port > > > Host > > > Source RPM Packages sssd-krb5-common-1.13.0-40.el7_2.12.x86_64 > > > Target RPM Packages > > > Policy RPMselinux-policy-3.13.1-60.el7_2.9.noarch > > > Selinux Enabled True > > > Policy Type targeted > > > Enforcing ModePermissive > > > Host Name example.com > > > Platform Linux example.com 4.4.19-1.el7.x86_64 > > > #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64 > > > x86_64 > > > Alert Count 38 > > > First Seen2016-09-28 18:37:43 EDT > > > Last Seen 2016-09-28 22:08:41 EDT > > > Local ID aa5271fa-f708-46b0-a382-fb1f90ce8973 > > > Raw Audit Messages > > > type=AVC msg=audit(1475114921.376:90787): avc: denied { read } for > > > pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0 > > > tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key > > permissive=0 > > > > > > > > > type=SYSCALL msg=audit(1475114921.376:90787): arch=x86_64 syscall=keyctl > > > success=yes exit=EINTR a0=b a1=333b5463 a2=0 a3=0 items=0 ppid=891 > > pid=8272 > > > auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053 > > > suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053 > > > fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child > > > exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 > > key=(null) > > > > > > Hash: krb5_child,sssd_t,unconfined_service_t,key,read > > > > > > > > > > > > > > SELinux is preventing /usr/libexec/sssd/krb5_child from view access on > > the > > > key Unknown. > > > > > > * Plugin catchall (100. confidence) suggests > > > ** > > > > > > If you believe that krb5_child should be allowed view access on the > > Unknown > > > key by default. > > > Then you should report this as a bug. > > > You can generate a local policy module to allow this access. > > > Do > > > allow this access for now by executing: > > > # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol > > > # semodule -i mypol.pp > > > > > > > > > Additional Information: > > > Source Contextsystem_u:system_r:sssd_t:s0 > > > Target Contextsystem_u:system_r:unconfined_service_t:s0 > > > Target ObjectsUnknown [ key ] > > > Sourcekrb5_child > > > Source Path /usr/libexec/sssd/krb5_child > > > Port > > > Host > > > Source RPM Packages sssd-krb5-common-1.13.0-40.el7_2.12.x86_64 > > > Target RPM Packages > > > Policy RPMselinux-policy-3.13.1-60.el7_2.9.noarch > > > Selinux Enabled True > > > Policy Type targeted > > > Enforcing ModePermissive > > > Host Name example.com > > > Platform
Re: [Freeipa-users] SELinux errors with sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
I need to set SELinux to enforcing to get the relevant SSSD logs, right ? On Thu, Sep 29, 2016 at 3:42 AM, Sumit Bosewrote: > On Thu, Sep 29, 2016 at 12:47:34AM -0400, Prasun Gera wrote: > > I started seeing some selinux errors on one of my RHEL 7 clients recently > > (possibly after a recent yum update ?), which prevents users from logging > > in with passwords. I've put SELinux in permissive mode for now. Logs > follow > > This sounds like https://bugzilla.redhat.com/show_bug.cgi?id=1301686 . > Would you mind adding your findings and the SSSD logs as described in > https://bugzilla.redhat.com/show_bug.cgi?id=1301686#c2 to the bugzilla > ticket. > > Thank you. > > bye, > Sumit > > > > > > > SELinux is preventing /usr/libexec/sssd/krb5_child from read access on > the > > key Unknown. > > > > * Plugin catchall (100. confidence) suggests > > ** > > > > If you believe that krb5_child should be allowed read access on the > Unknown > > key by default. > > Then you should report this as a bug. > > You can generate a local policy module to allow this access. > > Do > > allow this access for now by executing: > > # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol > > # semodule -i mypol.pp > > > > > > Additional Information: > > Source Contextsystem_u:system_r:sssd_t:s0 > > Target Contextsystem_u:system_r:unconfined_service_t:s0 > > Target ObjectsUnknown [ key ] > > Sourcekrb5_child > > Source Path /usr/libexec/sssd/krb5_child > > Port > > Host > > Source RPM Packages sssd-krb5-common-1.13.0-40.el7_2.12.x86_64 > > Target RPM Packages > > Policy RPMselinux-policy-3.13.1-60.el7_2.9.noarch > > Selinux Enabled True > > Policy Type targeted > > Enforcing ModePermissive > > Host Name example.com > > Platform Linux example.com 4.4.19-1.el7.x86_64 > > #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64 > > x86_64 > > Alert Count 38 > > First Seen2016-09-28 18:37:43 EDT > > Last Seen 2016-09-28 22:08:41 EDT > > Local ID aa5271fa-f708-46b0-a382-fb1f90ce8973 > > Raw Audit Messages > > type=AVC msg=audit(1475114921.376:90787): avc: denied { read } for > > pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0 > > tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key > permissive=0 > > > > > > type=SYSCALL msg=audit(1475114921.376:90787): arch=x86_64 syscall=keyctl > > success=yes exit=EINTR a0=b a1=333b5463 a2=0 a3=0 items=0 ppid=891 > pid=8272 > > auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053 > > suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053 > > fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child > > exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 > key=(null) > > > > Hash: krb5_child,sssd_t,unconfined_service_t,key,read > > > > > > > > > SELinux is preventing /usr/libexec/sssd/krb5_child from view access on > the > > key Unknown. > > > > * Plugin catchall (100. confidence) suggests > > ** > > > > If you believe that krb5_child should be allowed view access on the > Unknown > > key by default. > > Then you should report this as a bug. > > You can generate a local policy module to allow this access. > > Do > > allow this access for now by executing: > > # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol > > # semodule -i mypol.pp > > > > > > Additional Information: > > Source Contextsystem_u:system_r:sssd_t:s0 > > Target Contextsystem_u:system_r:unconfined_service_t:s0 > > Target ObjectsUnknown [ key ] > > Sourcekrb5_child > > Source Path /usr/libexec/sssd/krb5_child > > Port > > Host > > Source RPM Packages sssd-krb5-common-1.13.0-40.el7_2.12.x86_64 > > Target RPM Packages > > Policy RPMselinux-policy-3.13.1-60.el7_2.9.noarch > > Selinux Enabled True > > Policy Type targeted > > Enforcing ModePermissive > > Host Name example.com > > Platform Linux example.com 4.4.19-1.el7.x86_64 > > #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64 > > x86_64 > > Alert Count 10 > > First Seen2016-09-28 18:40:00 EDT > > Last Seen 2016-09-28 22:08:41 EDT > > Local ID 22ec0970-9447-444a-9631-69749e4e7226 > > Raw Audit Messages > > type=AVC
Re: [Freeipa-users] SELinux errors with sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
On Thu, Sep 29, 2016 at 12:47:34AM -0400, Prasun Gera wrote: > I started seeing some selinux errors on one of my RHEL 7 clients recently > (possibly after a recent yum update ?), which prevents users from logging > in with passwords. I've put SELinux in permissive mode for now. Logs follow This sounds like https://bugzilla.redhat.com/show_bug.cgi?id=1301686 . Would you mind adding your findings and the SSSD logs as described in https://bugzilla.redhat.com/show_bug.cgi?id=1301686#c2 to the bugzilla ticket. Thank you. bye, Sumit > > > SELinux is preventing /usr/libexec/sssd/krb5_child from read access on the > key Unknown. > > * Plugin catchall (100. confidence) suggests > ** > > If you believe that krb5_child should be allowed read access on the Unknown > key by default. > Then you should report this as a bug. > You can generate a local policy module to allow this access. > Do > allow this access for now by executing: > # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol > # semodule -i mypol.pp > > > Additional Information: > Source Contextsystem_u:system_r:sssd_t:s0 > Target Contextsystem_u:system_r:unconfined_service_t:s0 > Target ObjectsUnknown [ key ] > Sourcekrb5_child > Source Path /usr/libexec/sssd/krb5_child > Port > Host > Source RPM Packages sssd-krb5-common-1.13.0-40.el7_2.12.x86_64 > Target RPM Packages > Policy RPMselinux-policy-3.13.1-60.el7_2.9.noarch > Selinux Enabled True > Policy Type targeted > Enforcing ModePermissive > Host Name example.com > Platform Linux example.com 4.4.19-1.el7.x86_64 > #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64 > x86_64 > Alert Count 38 > First Seen2016-09-28 18:37:43 EDT > Last Seen 2016-09-28 22:08:41 EDT > Local ID aa5271fa-f708-46b0-a382-fb1f90ce8973 > Raw Audit Messages > type=AVC msg=audit(1475114921.376:90787): avc: denied { read } for > pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0 > tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0 > > > type=SYSCALL msg=audit(1475114921.376:90787): arch=x86_64 syscall=keyctl > success=yes exit=EINTR a0=b a1=333b5463 a2=0 a3=0 items=0 ppid=891 pid=8272 > auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053 > suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053 > fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child > exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 key=(null) > > Hash: krb5_child,sssd_t,unconfined_service_t,key,read > > > > SELinux is preventing /usr/libexec/sssd/krb5_child from view access on the > key Unknown. > > * Plugin catchall (100. confidence) suggests > ** > > If you believe that krb5_child should be allowed view access on the Unknown > key by default. > Then you should report this as a bug. > You can generate a local policy module to allow this access. > Do > allow this access for now by executing: > # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol > # semodule -i mypol.pp > > > Additional Information: > Source Contextsystem_u:system_r:sssd_t:s0 > Target Contextsystem_u:system_r:unconfined_service_t:s0 > Target ObjectsUnknown [ key ] > Sourcekrb5_child > Source Path /usr/libexec/sssd/krb5_child > Port > Host > Source RPM Packages sssd-krb5-common-1.13.0-40.el7_2.12.x86_64 > Target RPM Packages > Policy RPMselinux-policy-3.13.1-60.el7_2.9.noarch > Selinux Enabled True > Policy Type targeted > Enforcing ModePermissive > Host Name example.com > Platform Linux example.com 4.4.19-1.el7.x86_64 > #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64 > x86_64 > Alert Count 10 > First Seen2016-09-28 18:40:00 EDT > Last Seen 2016-09-28 22:08:41 EDT > Local ID 22ec0970-9447-444a-9631-69749e4e7226 > Raw Audit Messages > type=AVC msg=audit(1475114921.376:90789): avc: denied { view } for > pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0 > tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0 > > > type=SYSCALL msg=audit(1475114921.376:90789): arch=x86_64 syscall=keyctl > success=no exit=EACCES a0=6 a1=2e1c07f1 a2=0 a3=0 items=0 ppid=891 pid=8272 > auid=4294967295 uid=1388200053
[Freeipa-users] SELinux errors with sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
I started seeing some selinux errors on one of my RHEL 7 clients recently (possibly after a recent yum update ?), which prevents users from logging in with passwords. I've put SELinux in permissive mode for now. Logs follow SELinux is preventing /usr/libexec/sssd/krb5_child from read access on the key Unknown. * Plugin catchall (100. confidence) suggests ** If you believe that krb5_child should be allowed read access on the Unknown key by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Contextsystem_u:system_r:sssd_t:s0 Target Contextsystem_u:system_r:unconfined_service_t:s0 Target ObjectsUnknown [ key ] Sourcekrb5_child Source Path /usr/libexec/sssd/krb5_child Port Host Source RPM Packages sssd-krb5-common-1.13.0-40.el7_2.12.x86_64 Target RPM Packages Policy RPMselinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing ModePermissive Host Name example.com Platform Linux example.com 4.4.19-1.el7.x86_64 #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64 x86_64 Alert Count 38 First Seen2016-09-28 18:37:43 EDT Last Seen 2016-09-28 22:08:41 EDT Local ID aa5271fa-f708-46b0-a382-fb1f90ce8973 Raw Audit Messages type=AVC msg=audit(1475114921.376:90787): avc: denied { read } for pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0 type=SYSCALL msg=audit(1475114921.376:90787): arch=x86_64 syscall=keyctl success=yes exit=EINTR a0=b a1=333b5463 a2=0 a3=0 items=0 ppid=891 pid=8272 auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053 suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053 fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 key=(null) Hash: krb5_child,sssd_t,unconfined_service_t,key,read SELinux is preventing /usr/libexec/sssd/krb5_child from view access on the key Unknown. * Plugin catchall (100. confidence) suggests ** If you believe that krb5_child should be allowed view access on the Unknown key by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Contextsystem_u:system_r:sssd_t:s0 Target Contextsystem_u:system_r:unconfined_service_t:s0 Target ObjectsUnknown [ key ] Sourcekrb5_child Source Path /usr/libexec/sssd/krb5_child Port Host Source RPM Packages sssd-krb5-common-1.13.0-40.el7_2.12.x86_64 Target RPM Packages Policy RPMselinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing ModePermissive Host Name example.com Platform Linux example.com 4.4.19-1.el7.x86_64 #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64 x86_64 Alert Count 10 First Seen2016-09-28 18:40:00 EDT Last Seen 2016-09-28 22:08:41 EDT Local ID 22ec0970-9447-444a-9631-69749e4e7226 Raw Audit Messages type=AVC msg=audit(1475114921.376:90789): avc: denied { view } for pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0 type=SYSCALL msg=audit(1475114921.376:90789): arch=x86_64 syscall=keyctl success=no exit=EACCES a0=6 a1=2e1c07f1 a2=0 a3=0 items=0 ppid=891 pid=8272 auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053 suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053 fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 key=(null) Hash: krb5_child,sssd_t,unconfined_service_t,key,view SELinux is preventing /usr/libexec/sssd/krb5_child from write access on the key Unknown. * Plugin catchall (100. confidence) suggests