Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-143810

AVC for sssd_be accessing oidc_child on client

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-10.2
    • sssd
    • None
    • None
    • None
    • rhel-idm
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      Testing SSSD's Generic IdP support by running system tests for test_idp.py.  These setup the client with provider pointing to Keycloak.

      The tests fail without setting SELinux to permissive mode.   During failure, I see these AVCs:

      ----
time->Fri Jan 23 15:35:17 2026
type=PROCTITLE msg=audit(1769182517.547:6942): proctitle=2F7573722F6C6962657865632F737373642F737373645F6265002D2D646F6D61696E0074657374002D2D6C6F676765723D66696C6573
type=SYSCALL msg=audit(1769182517.547:6942): arch=c000003e syscall=59 success=no exit=-13 a0=7f2ab8a2ad44 a1=561cd7ce0de0 a2=561cd7cdb000 a3=561cd7cad010 items=0 ppid=102812 pid=102857 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1769182517.547:6942): avc:  denied  { execute } for  pid=102857 comm="sssd_be" name="oidc_child" dev="vda3" ino=25980863 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:ipa_otpd_exec_t:s0 tclass=file permissive=0
----
time->Fri Jan 23 15:35:17 2026
type=PROCTITLE msg=audit(1769182517.550:6943): proctitle=2F7573722F6C6962657865632F737373642F737373645F6265002D2D646F6D61696E0074657374002D2D6C6F676765723D66696C6573
type=SYSCALL msg=audit(1769182517.550:6943): arch=c000003e syscall=59 success=no exit=-13 a0=7f2ab8a2ad44 a1=561cd7ce0de0 a2=561cd7cdb000 a3=561cd7cad010 items=0 ppid=102812 pid=102858 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1769182517.550:6943): avc:  denied  { execute } for  pid=102858 comm="sssd_be" name="oidc_child" dev="vda3" ino=25980863 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:ipa_otpd_exec_t:s0 tclass=file permissive=0

      What is the impact of this issue to you?

      Testing and Generic IdP access does not work without changing labels/policy or setting permissive mode.

      Please provide the package NVR for which the bug is seen:

      sssd-2.12.0-1.el10.x86_64
      selinux-policy-42.1.14-1.el10.noarch

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Setup SSSD Client configured for Generic IdP to a Keycloak server
      2. Add user1 to Keycloak  
      3. On SSSD Client, getent passwd user1@test

      Expected results

      Returns user info

      Actual results

      No user info returned and AVCs listed above seen.

              sssd-maint SSSD Maintainers
              spoore@redhat.com Scott Poore
              Alexander Bokovoy Alexander Bokovoy
              SSSD QE SSSD QE
              Louise McGarry Louise McGarry
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

                Created:
                Updated: