Read bz comment 6 for more details - race between SSSD and file move with restorecon call.
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1195339
Description of problem: The following AVC debial appeared during testing: ---- time->Fri Feb 20 14:54:26 2015 type=SYSCALL msg=audit(1424440466.677:692): arch=c000003e syscall=21 success=no exit=-13 a0=7fb175c03338 a1=4 a2=10 a3=fffffffffffff558 items=0 ppid=15957 pid=15958 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null) type=AVC msg=audit(1424440466.677:692): avc: denied { read } for pid=15958 comm="sssd_be" name="krb5.conf" dev="dm-0" ino=203775716 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:realmd_var_lib_t:s0 tclass=file ---- time->Fri Feb 20 14:54:26 2015 type=SYSCALL msg=audit(1424440466.677:693): arch=c000003e syscall=4 success=no exit=-13 a0=7fb175c2c4a8 a1=7fffb8a58000 a2=7fffb8a58000 a3=0 items=0 ppid=15957 pid=15958 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null) type=AVC msg=audit(1424440466.677:693): avc: denied { getattr } for pid=15958 comm="sssd_be" pa The issue could not been reproduced. Not sure if anything can be done with it if there is no reproducer; feel free to close it, if the root cause can not be found. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-23.el7 sssd-1.12.2-58.el7 ipa-client-4.1.0-18.el7 How reproducible: appeared only once Some additional info: # semanage fcontext -l |grep realmd_var_lib_t /var/lib/ipa-client(/.*)? all files system_u:object_r:realmd_var_lib_t:s0 # rpm -qf /var/lib/ipa-client ipa-client-4.1.0-18.el7.s390x # ls -la /var/lib/ipa-client/ total 4 drwxr-xr-x. 3 root root 23 Feb 23 05:16 . drwxr-xr-x. 42 root root 4096 Feb 23 05:47 .. drwxr-xr-x. 2 root root 6 Jan 30 10:47 sysrestore # ls -la /var/lib/ipa-client/sysrestore/ # ls -la /var/lib/ipa-client/sysrestore/ total 0 drwxr-xr-x. 2 root root 6 Jan 30 10:47 . drwxr-xr-x. 3 root root 23 Feb 23 05:16 ..
we could use following approach for all affected files to avoid the race:
mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf
instead of:
mv /etc/krb5.conf.ipanew /etc/krb5.conf /sbin/restorecon /etc/krb5.conf
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1127211 (Red Hat Enterprise Linux 6)
This ticket is not critical for 4.2 GA and can be done in follow-up stabilization release - postponing.
Make sure to check if selinux is present on the system otherwise there might not be -Z option.
master:
ipa-4-2:
Metadata Update from @pvoborni: - Issue assigned to mbasti - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.