#2797 Could not open file [/var/log/sssd/selinux_child.log]. Error: [13][Permission denied]
Closed: Invalid None Opened 8 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1263251

Description of problem: Could not open file [/var/log/sssd/selinux_child.log].
Error: [13][Permission denied]


Version-Release number of selected component (if applicable): 7.2


How reproducible: Always


Steps to Reproduce:
1. Ensure IPA server is installed on RHEL7.2
2. Ensure trust is established with Win2K8 R2.
3. systemctl stop sssd.service
4. In the [sssd] section in /etc/sssd/sssd.conf file add the below
[sssd]
user = sssd
5. systemctl start sssd.service
6. Now try logging as the ADuser from the AD Windows Box.

Actual results:

1. since sssd service is now running as user 'sssd' the ownership of all the
below log files have been changed to sssd.sssd which is correct behaviour

[root@ipa01 sssd]# ls -l | grep sssd_nss
-rw-------. 1 sssd sssd  9814824 Sep 15 17:21 sssd_nss.log
[root@ipa01 sssd]# ls -l | grep sssd_pam
-rw-------. 1 sssd sssd  4137528 Sep 15 17:21 sssd_pam.log
[root@ipa01 sssd]# ls -l | grep sssd_ssh
-rw-------. 1 sssd sssd  4204027 Sep 15 17:21 sssd_ssh.log
[root@ipa01 sssd]# ls -l | grep sssd_pac
-rw-------. 1 sssd sssd  4090200 Sep 15 17:21 sssd_pac.log
[root@ipa01 sssd]# ls -l | grep sssd_sudo
-rw-------. 1 sssd sssd  4615010 Sep 15 17:21 sssd_sudo.log

2. The ownership of keytab file in /var/lib/sss/keytabs directory also changes
to sssd.sssd which is correct behaviour

drwx------. 2 sssd sssd   50 Sep 15 17:45 keytabs
[root@ipa01 keytabs]# ls -l
total 8
-rw-------. 1 sssd sssd 177 Sep 15 17:45 test.in.keytab


3. The ownership of the below files remains root.root and doesn't change to
sssd:sssd

-rw-------. 1 root root    57108 Sep 15 17:20 krb5_child.log
-rw-------. 1 root root    36022 Sep 15 17:16 ldap_child.log
-rw-------. 1 root root        0 Aug 24 14:59 selinux_child.log

4.The AD user gets logged in successfully, but there is a message displayed on
the IPA-server console.

[smenon@ipa01 log]$  Message from syslogd@ipa01 at Sep 15 17:47:41 ...
 sssd[be[labs01.test]]:Could not open file [/var/log/sssd/selinux_child.log].
Error: [13][Permission denied]

Expected results: The ownership of the log files should be changed to sssd:sssd
when sssd service is running as 'sssd' and root:root vice versa.

Additional info:

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => pcech
review: True => 0
selected: =>
testsupdated: => 0

Because running as non-root is not the default in most distributions, I think this should be OK in 1.13.3, no need to put the ticket into .1 or .2

Fields changed

status: new => assigned

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13.3

We can no longer reproduce the problem, closing.

resolution: => worksforme
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to pcech
- Issue set to the milestone: SSSD 1.13.3

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3838

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata