https://bugzilla.redhat.com/show_bug.cgi?id=851318 (Red Hat Enterprise Linux 5)
Description of problem: AVC denials seen for sssd reading/writing krb5.conf. Troubleshooting this, I found that the root cause was that ipa-client-install isn't specifically restoring the selinux if it creates /etc/krb5.conf from scratch. Version-Release number of selected component (if applicable): ipa-client-2.1.3-4.el5 How reproducible: always Steps to Reproduce: 1. <setup IPA server> 2. yum -y install ipa-client 3. rm /etc/krb5.conf 4. ipa-client-install -s --domain=$DOMAIN --realm=$RELM -p $ADMINID -w $ADMINPW -U --server=$MASTER 5. ausearch -m avc 6. ls -lZ /etc/krb5.conf Actual results: 5. Will see AVC denials for krb5.conf: time->Wed Aug 22 22:02:15 2012 type=SYSCALL msg=audit(1345687335.209:160): arch=c000003e syscall=21 success=no exit=-13 a0=12a59bc0 a1=2 a2=2b4e67b81ba0 a3=0 items=0 ppid=26625 pid=26628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=root:system_r:sssd_t:s0 key=(null) type=AVC msg=audit(1345687335.209:160): avc: denied { write } for pid=26628 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=4949267 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file ---- time->Wed Aug 22 22:02:15 2012 type=SYSCALL msg=audit(1345687335.804:161): arch=c000003e syscall=21 success=no exit=-13 a0=1c60c3f0 a1=2 a2=0 a3=0 items=0 ppid=26628 pid=26640 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ldap_child" exe="/usr/libexec/sssd/ldap_child" subj=root:system_r:sssd_t:s0 key=(null) type=AVC msg=audit(1345687335.804:161): avc: denied { write } for pid=26640 comm="ldap_child" name="krb5.conf" dev=dm-0 ino=4949267 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file ---- time->Wed Aug 22 22:02:15 2012 type=SYSCALL msg=audit(1345687335.841:162): arch=c000003e syscall=21 success=no exit=-13 a0=136753d0 a1=2 a2=2b4e67b81ba0 a3=65726373662f7274 items=0 ppid=26625 pid=26628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=root:system_r:sssd_t:s0 key=(null) type=AVC msg=audit(1345687335.841:162): avc: denied { write } for pid=26628 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=4949267 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file ---- time->Wed Aug 22 22:02:15 2012 type=SYSCALL msg=audit(1345687335.842:163): arch=c000003e syscall=21 success=no exit=-13 a0=136753b0 a1=2 a2=2b4e67b81ba0 a3=65726373662f7274 items=0 ppid=26625 pid=26628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=root:system_r:sssd_t:s0 key=(null) type=AVC msg=audit(1345687335.842:163): avc: denied { write } for pid=26628 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=4949267 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file 6. Will see etc_t instead of proper krb_conf_t for krb5.conf: -rw-r--r-- root root root:object_r:etc_t /etc/krb5.conf Expected results: creates /etc/krb5.conf with expected context: [root@vm6 ipa-nis-integration]# restorecon /etc/krb5.conf [root@vm6 ipa-nis-integration]# ls -lZ /etc/krb5.conf -rw-r--r-- root root system_u:object_r:krb5_conf_t /etc/krb5.conf Additional info:
Rename component.
Not an issue in current upstream FreeIPA.
Metadata Update from @dpal: - Issue assigned to rcritten - Issue set to the milestone: Ticket Backlog
Login to comment on this ticket.