subject:"\[Freeipa\-users\] SELinux errors with sssd\-krb5\-common\-1.13.0\-40.el7_2.12.x86

Re: [Freeipa-users] SELinux errors with sssd-krb5-common-1.13.0-40.el7_2.12.x86_64

2016-09-30 Thread Sumit Bose

On Thu, Sep 29, 2016 at 12:07:13PM -0400, Prasun Gera wrote:
> I need to set SELinux to enforcing to get the relevant SSSD logs, right ?

yes, I think this would help to identify the operation which triggers
the AVC because it should fail.

bye,
Sumit

> 
> On Thu, Sep 29, 2016 at 3:42 AM, Sumit Bose  wrote:
> 
> > On Thu, Sep 29, 2016 at 12:47:34AM -0400, Prasun Gera wrote:
> > > I started seeing some selinux errors on one of my RHEL 7 clients recently
> > > (possibly after a recent yum update ?), which prevents users from logging
> > > in with passwords. I've put SELinux in permissive mode for now. Logs
> > follow
> >
> > This sounds like https://bugzilla.redhat.com/show_bug.cgi?id=1301686 .
> > Would you mind adding your findings and the SSSD logs as described in
> > https://bugzilla.redhat.com/show_bug.cgi?id=1301686#c2 to the bugzilla
> > ticket.
> >
> > Thank you.
> >
> > bye,
> > Sumit
> >
> > >
> > >
> > > SELinux is preventing /usr/libexec/sssd/krb5_child from read access on
> > the
> > > key Unknown.
> > >
> > > *  Plugin catchall (100. confidence) suggests
> > > **
> > >
> > > If you believe that krb5_child should be allowed read access on the
> > Unknown
> > > key by default.
> > > Then you should report this as a bug.
> > > You can generate a local policy module to allow this access.
> > > Do
> > > allow this access for now by executing:
> > > # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol
> > > # semodule -i mypol.pp
> > >
> > >
> > > Additional Information:
> > > Source Contextsystem_u:system_r:sssd_t:s0
> > > Target Contextsystem_u:system_r:unconfined_service_t:s0
> > > Target ObjectsUnknown [ key ]
> > > Sourcekrb5_child
> > > Source Path   /usr/libexec/sssd/krb5_child
> > > Port  
> > > Host  
> > > Source RPM Packages   sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
> > > Target RPM Packages
> > > Policy RPMselinux-policy-3.13.1-60.el7_2.9.noarch
> > > Selinux Enabled   True
> > > Policy Type   targeted
> > > Enforcing ModePermissive
> > > Host Name example.com
> > > Platform  Linux example.com 4.4.19-1.el7.x86_64
> > >   #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64
> > > x86_64
> > > Alert Count   38
> > > First Seen2016-09-28 18:37:43 EDT
> > > Last Seen 2016-09-28 22:08:41 EDT
> > > Local ID  aa5271fa-f708-46b0-a382-fb1f90ce8973
> > > Raw Audit Messages
> > > type=AVC msg=audit(1475114921.376:90787): avc:  denied  { read } for
> > >  pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0
> > > tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key
> > permissive=0
> > >
> > >
> > > type=SYSCALL msg=audit(1475114921.376:90787): arch=x86_64 syscall=keyctl
> > > success=yes exit=EINTR a0=b a1=333b5463 a2=0 a3=0 items=0 ppid=891
> > pid=8272
> > > auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053
> > > suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053
> > > fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child
> > > exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0
> > key=(null)
> > >
> > > Hash: krb5_child,sssd_t,unconfined_service_t,key,read
> > >
> > > 
> > 
> > >
> > > SELinux is preventing /usr/libexec/sssd/krb5_child from view access on
> > the
> > > key Unknown.
> > >
> > > *  Plugin catchall (100. confidence) suggests
> > > **
> > >
> > > If you believe that krb5_child should be allowed view access on the
> > Unknown
> > > key by default.
> > > Then you should report this as a bug.
> > > You can generate a local policy module to allow this access.
> > > Do
> > > allow this access for now by executing:
> > > # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol
> > > # semodule -i mypol.pp
> > >
> > >
> > > Additional Information:
> > > Source Contextsystem_u:system_r:sssd_t:s0
> > > Target Contextsystem_u:system_r:unconfined_service_t:s0
> > > Target ObjectsUnknown [ key ]
> > > Sourcekrb5_child
> > > Source Path   /usr/libexec/sssd/krb5_child
> > > Port  
> > > Host  
> > > Source RPM Packages   sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
> > > Target RPM Packages
> > > Policy RPMselinux-policy-3.13.1-60.el7_2.9.noarch
> > > Selinux Enabled   True
> > > Policy Type   targeted
> > > Enforcing ModePermissive
> > > Host Name example.com
> > > Platform

Re: [Freeipa-users] SELinux errors with sssd-krb5-common-1.13.0-40.el7_2.12.x86_64

2016-09-29 Thread Prasun Gera

I need to set SELinux to enforcing to get the relevant SSSD logs, right ?

On Thu, Sep 29, 2016 at 3:42 AM, Sumit Bose  wrote:

> On Thu, Sep 29, 2016 at 12:47:34AM -0400, Prasun Gera wrote:
> > I started seeing some selinux errors on one of my RHEL 7 clients recently
> > (possibly after a recent yum update ?), which prevents users from logging
> > in with passwords. I've put SELinux in permissive mode for now. Logs
> follow
>
> This sounds like https://bugzilla.redhat.com/show_bug.cgi?id=1301686 .
> Would you mind adding your findings and the SSSD logs as described in
> https://bugzilla.redhat.com/show_bug.cgi?id=1301686#c2 to the bugzilla
> ticket.
>
> Thank you.
>
> bye,
> Sumit
>
> >
> >
> > SELinux is preventing /usr/libexec/sssd/krb5_child from read access on
> the
> > key Unknown.
> >
> > *  Plugin catchall (100. confidence) suggests
> > **
> >
> > If you believe that krb5_child should be allowed read access on the
> Unknown
> > key by default.
> > Then you should report this as a bug.
> > You can generate a local policy module to allow this access.
> > Do
> > allow this access for now by executing:
> > # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol
> > # semodule -i mypol.pp
> >
> >
> > Additional Information:
> > Source Contextsystem_u:system_r:sssd_t:s0
> > Target Contextsystem_u:system_r:unconfined_service_t:s0
> > Target ObjectsUnknown [ key ]
> > Sourcekrb5_child
> > Source Path   /usr/libexec/sssd/krb5_child
> > Port  
> > Host  
> > Source RPM Packages   sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
> > Target RPM Packages
> > Policy RPMselinux-policy-3.13.1-60.el7_2.9.noarch
> > Selinux Enabled   True
> > Policy Type   targeted
> > Enforcing ModePermissive
> > Host Name example.com
> > Platform  Linux example.com 4.4.19-1.el7.x86_64
> >   #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64
> > x86_64
> > Alert Count   38
> > First Seen2016-09-28 18:37:43 EDT
> > Last Seen 2016-09-28 22:08:41 EDT
> > Local ID  aa5271fa-f708-46b0-a382-fb1f90ce8973
> > Raw Audit Messages
> > type=AVC msg=audit(1475114921.376:90787): avc:  denied  { read } for
> >  pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0
> > tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key
> permissive=0
> >
> >
> > type=SYSCALL msg=audit(1475114921.376:90787): arch=x86_64 syscall=keyctl
> > success=yes exit=EINTR a0=b a1=333b5463 a2=0 a3=0 items=0 ppid=891
> pid=8272
> > auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053
> > suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053
> > fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child
> > exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0
> key=(null)
> >
> > Hash: krb5_child,sssd_t,unconfined_service_t,key,read
> >
> > 
> 
> >
> > SELinux is preventing /usr/libexec/sssd/krb5_child from view access on
> the
> > key Unknown.
> >
> > *  Plugin catchall (100. confidence) suggests
> > **
> >
> > If you believe that krb5_child should be allowed view access on the
> Unknown
> > key by default.
> > Then you should report this as a bug.
> > You can generate a local policy module to allow this access.
> > Do
> > allow this access for now by executing:
> > # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol
> > # semodule -i mypol.pp
> >
> >
> > Additional Information:
> > Source Contextsystem_u:system_r:sssd_t:s0
> > Target Contextsystem_u:system_r:unconfined_service_t:s0
> > Target ObjectsUnknown [ key ]
> > Sourcekrb5_child
> > Source Path   /usr/libexec/sssd/krb5_child
> > Port  
> > Host  
> > Source RPM Packages   sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
> > Target RPM Packages
> > Policy RPMselinux-policy-3.13.1-60.el7_2.9.noarch
> > Selinux Enabled   True
> > Policy Type   targeted
> > Enforcing ModePermissive
> > Host Name example.com
> > Platform  Linux example.com 4.4.19-1.el7.x86_64
> >   #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64
> > x86_64
> > Alert Count   10
> > First Seen2016-09-28 18:40:00 EDT
> > Last Seen 2016-09-28 22:08:41 EDT
> > Local ID  22ec0970-9447-444a-9631-69749e4e7226
> > Raw Audit Messages
> > type=AVC

Re: [Freeipa-users] SELinux errors with sssd-krb5-common-1.13.0-40.el7_2.12.x86_64

2016-09-29 Thread Sumit Bose

On Thu, Sep 29, 2016 at 12:47:34AM -0400, Prasun Gera wrote:
> I started seeing some selinux errors on one of my RHEL 7 clients recently
> (possibly after a recent yum update ?), which prevents users from logging
> in with passwords. I've put SELinux in permissive mode for now. Logs follow

This sounds like https://bugzilla.redhat.com/show_bug.cgi?id=1301686 .
Would you mind adding your findings and the SSSD logs as described in
https://bugzilla.redhat.com/show_bug.cgi?id=1301686#c2 to the bugzilla
ticket.

Thank you.

bye,
Sumit

> 
> 
> SELinux is preventing /usr/libexec/sssd/krb5_child from read access on the
> key Unknown.
> 
> *  Plugin catchall (100. confidence) suggests
> **
> 
> If you believe that krb5_child should be allowed read access on the Unknown
> key by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
> 
> 
> Additional Information:
> Source Contextsystem_u:system_r:sssd_t:s0
> Target Contextsystem_u:system_r:unconfined_service_t:s0
> Target ObjectsUnknown [ key ]
> Sourcekrb5_child
> Source Path   /usr/libexec/sssd/krb5_child
> Port  
> Host  
> Source RPM Packages   sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
> Target RPM Packages
> Policy RPMselinux-policy-3.13.1-60.el7_2.9.noarch
> Selinux Enabled   True
> Policy Type   targeted
> Enforcing ModePermissive
> Host Name example.com
> Platform  Linux example.com 4.4.19-1.el7.x86_64
>   #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64
> x86_64
> Alert Count   38
> First Seen2016-09-28 18:37:43 EDT
> Last Seen 2016-09-28 22:08:41 EDT
> Local ID  aa5271fa-f708-46b0-a382-fb1f90ce8973
> Raw Audit Messages
> type=AVC msg=audit(1475114921.376:90787): avc:  denied  { read } for
>  pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0
> 
> 
> type=SYSCALL msg=audit(1475114921.376:90787): arch=x86_64 syscall=keyctl
> success=yes exit=EINTR a0=b a1=333b5463 a2=0 a3=0 items=0 ppid=891 pid=8272
> auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053
> suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053
> fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child
> exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 key=(null)
> 
> Hash: krb5_child,sssd_t,unconfined_service_t,key,read
> 
> 
> 
> SELinux is preventing /usr/libexec/sssd/krb5_child from view access on the
> key Unknown.
> 
> *  Plugin catchall (100. confidence) suggests
> **
> 
> If you believe that krb5_child should be allowed view access on the Unknown
> key by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
> 
> 
> Additional Information:
> Source Contextsystem_u:system_r:sssd_t:s0
> Target Contextsystem_u:system_r:unconfined_service_t:s0
> Target ObjectsUnknown [ key ]
> Sourcekrb5_child
> Source Path   /usr/libexec/sssd/krb5_child
> Port  
> Host  
> Source RPM Packages   sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
> Target RPM Packages
> Policy RPMselinux-policy-3.13.1-60.el7_2.9.noarch
> Selinux Enabled   True
> Policy Type   targeted
> Enforcing ModePermissive
> Host Name example.com
> Platform  Linux example.com 4.4.19-1.el7.x86_64
>   #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64
> x86_64
> Alert Count   10
> First Seen2016-09-28 18:40:00 EDT
> Last Seen 2016-09-28 22:08:41 EDT
> Local ID  22ec0970-9447-444a-9631-69749e4e7226
> Raw Audit Messages
> type=AVC msg=audit(1475114921.376:90789): avc:  denied  { view } for
>  pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0
> 
> 
> type=SYSCALL msg=audit(1475114921.376:90789): arch=x86_64 syscall=keyctl
> success=no exit=EACCES a0=6 a1=2e1c07f1 a2=0 a3=0 items=0 ppid=891 pid=8272
> auid=4294967295 uid=1388200053

[Freeipa-users] SELinux errors with sssd-krb5-common-1.13.0-40.el7_2.12.x86_64

2016-09-28 Thread Prasun Gera

I started seeing some selinux errors on one of my RHEL 7 clients recently
(possibly after a recent yum update ?), which prevents users from logging
in with passwords. I've put SELinux in permissive mode for now. Logs follow


SELinux is preventing /usr/libexec/sssd/krb5_child from read access on the
key Unknown.

*  Plugin catchall (100. confidence) suggests
**

If you believe that krb5_child should be allowed read access on the Unknown
key by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Contextsystem_u:system_r:sssd_t:s0
Target Contextsystem_u:system_r:unconfined_service_t:s0
Target ObjectsUnknown [ key ]
Sourcekrb5_child
Source Path   /usr/libexec/sssd/krb5_child
Port  
Host  
Source RPM Packages   sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
Target RPM Packages
Policy RPMselinux-policy-3.13.1-60.el7_2.9.noarch
Selinux Enabled   True
Policy Type   targeted
Enforcing ModePermissive
Host Name example.com
Platform  Linux example.com 4.4.19-1.el7.x86_64
  #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64
x86_64
Alert Count   38
First Seen2016-09-28 18:37:43 EDT
Last Seen 2016-09-28 22:08:41 EDT
Local ID  aa5271fa-f708-46b0-a382-fb1f90ce8973
Raw Audit Messages
type=AVC msg=audit(1475114921.376:90787): avc:  denied  { read } for
 pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0


type=SYSCALL msg=audit(1475114921.376:90787): arch=x86_64 syscall=keyctl
success=yes exit=EINTR a0=b a1=333b5463 a2=0 a3=0 items=0 ppid=891 pid=8272
auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053
suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053
fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child
exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 key=(null)

Hash: krb5_child,sssd_t,unconfined_service_t,key,read



SELinux is preventing /usr/libexec/sssd/krb5_child from view access on the
key Unknown.

*  Plugin catchall (100. confidence) suggests
**

If you believe that krb5_child should be allowed view access on the Unknown
key by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep krb5_child /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Contextsystem_u:system_r:sssd_t:s0
Target Contextsystem_u:system_r:unconfined_service_t:s0
Target ObjectsUnknown [ key ]
Sourcekrb5_child
Source Path   /usr/libexec/sssd/krb5_child
Port  
Host  
Source RPM Packages   sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
Target RPM Packages
Policy RPMselinux-policy-3.13.1-60.el7_2.9.noarch
Selinux Enabled   True
Policy Type   targeted
Enforcing ModePermissive
Host Name example.com
Platform  Linux example.com 4.4.19-1.el7.x86_64
  #1 SMP Mon Aug 29 18:38:32 EDT 2016 x86_64
x86_64
Alert Count   10
First Seen2016-09-28 18:40:00 EDT
Last Seen 2016-09-28 22:08:41 EDT
Local ID  22ec0970-9447-444a-9631-69749e4e7226
Raw Audit Messages
type=AVC msg=audit(1475114921.376:90789): avc:  denied  { view } for
 pid=8272 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0


type=SYSCALL msg=audit(1475114921.376:90789): arch=x86_64 syscall=keyctl
success=no exit=EACCES a0=6 a1=2e1c07f1 a2=0 a3=0 items=0 ppid=891 pid=8272
auid=4294967295 uid=1388200053 gid=1388200053 euid=1388200053
suid=1388200053 fsuid=1388200053 egid=1388200053 sgid=1388200053
fsgid=1388200053 tty=(none) ses=4294967295 comm=krb5_child
exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 key=(null)

Hash: krb5_child,sssd_t,unconfined_service_t,key,view



SELinux is preventing /usr/libexec/sssd/krb5_child from write access on the
key Unknown.

*  Plugin catchall (100. confidence) suggests

Re: [Freeipa-users] SELinux errors with sssd-krb5-common-1.13.0-40.el7_2.12.x86_64

Re: [Freeipa-users] SELinux errors with sssd-krb5-common-1.13.0-40.el7_2.12.x86_64

Re: [Freeipa-users] SELinux errors with sssd-krb5-common-1.13.0-40.el7_2.12.x86_64

[Freeipa-users] SELinux errors with sssd-krb5-common-1.13.0-40.el7_2.12.x86_64

4 matches

Site Navigation

Mail list logo

Footer information