#3044 RHEL5 ipa-client-install creates krb5.conf with incorrect selinux context
Closed: Invalid None Opened 11 years ago by dpal.

https://bugzilla.redhat.com/show_bug.cgi?id=851318 (Red Hat Enterprise Linux 5)

Description of problem:

AVC denials seen for sssd reading/writing krb5.conf.  Troubleshooting this, I
found that the root cause was that ipa-client-install isn't specifically
restoring the selinux if it creates /etc/krb5.conf from scratch.


Version-Release number of selected component (if applicable):
ipa-client-2.1.3-4.el5

How reproducible:
always

Steps to Reproduce:
1. <setup IPA server>
2. yum -y install ipa-client
3. rm /etc/krb5.conf
4. ipa-client-install -s --domain=$DOMAIN --realm=$RELM -p $ADMINID -w $ADMINPW
-U --server=$MASTER
5. ausearch -m avc
6. ls -lZ /etc/krb5.conf

Actual results:

5. Will see AVC denials for krb5.conf:

time->Wed Aug 22 22:02:15 2012
type=SYSCALL msg=audit(1345687335.209:160): arch=c000003e syscall=21 success=no
exit=-13 a0=12a59bc0 a1=2 a2=2b4e67b81ba0 a3=0 items=0 ppid=26625 pid=26628
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be"
subj=root:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1345687335.209:160): avc:  denied  { write } for  pid=26628
comm="sssd_be" name="krb5.conf" dev=dm-0 ino=4949267
scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug 22 22:02:15 2012
type=SYSCALL msg=audit(1345687335.804:161): arch=c000003e syscall=21 success=no
exit=-13 a0=1c60c3f0 a1=2 a2=0 a3=0 items=0 ppid=26628 pid=26640
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="ldap_child" exe="/usr/libexec/sssd/ldap_child"
subj=root:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1345687335.804:161): avc:  denied  { write } for  pid=26640
comm="ldap_child" name="krb5.conf" dev=dm-0 ino=4949267
scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug 22 22:02:15 2012
type=SYSCALL msg=audit(1345687335.841:162): arch=c000003e syscall=21 success=no
exit=-13 a0=136753d0 a1=2 a2=2b4e67b81ba0 a3=65726373662f7274 items=0
ppid=26625 pid=26628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be"
exe="/usr/libexec/sssd/sssd_be" subj=root:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1345687335.841:162): avc:  denied  { write } for  pid=26628
comm="sssd_be" name="krb5.conf" dev=dm-0 ino=4949267
scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug 22 22:02:15 2012
type=SYSCALL msg=audit(1345687335.842:163): arch=c000003e syscall=21 success=no
exit=-13 a0=136753b0 a1=2 a2=2b4e67b81ba0 a3=65726373662f7274 items=0
ppid=26625 pid=26628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be"
exe="/usr/libexec/sssd/sssd_be" subj=root:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1345687335.842:163): avc:  denied  { write } for  pid=26628
comm="sssd_be" name="krb5.conf" dev=dm-0 ino=4949267
scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file

6. Will see etc_t instead of proper krb_conf_t for krb5.conf:

-rw-r--r--  root root root:object_r:etc_t              /etc/krb5.conf

Expected results:

creates /etc/krb5.conf with expected context:

[root@vm6 ipa-nis-integration]# restorecon /etc/krb5.conf
[root@vm6 ipa-nis-integration]# ls -lZ /etc/krb5.conf
-rw-r--r--  root root system_u:object_r:krb5_conf_t    /etc/krb5.conf


Additional info:

Not an issue in current upstream FreeIPA.

Metadata Update from @dpal:
- Issue assigned to rcritten
- Issue set to the milestone: Ticket Backlog

7 years ago

Login to comment on this ticket.

Metadata