Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-18057

Incorrect SELinux file context on authselect backup directory /var/lib/authselect

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Normal Normal
    • None
    • CentOS Stream 9, rhel-9.3.0
    • authselect
    • None
    • None
    • Moderate
    • sst_idm_sssd
    • ssg_idm
    • 0
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • x86_64
    • None

      What were you trying to do that didn't work?

      Unable to authenticate after restoring an authselect profile.

      Audit log shows accessing to /etc/pam.d/password-auth were denied:

       

      type=AVC msg=audit(1701738018.421:565): avc:  denied  { read } for  pid=5292 comm="sshd" name="password-auth" dev="vda4" ino=8388824 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
      type=AVC msg=audit(1701738018.424:566): avc:  denied  { read } for  pid=5292 comm="sshd" name="postlogin" dev="vda4" ino=8388828 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
      type=AVC msg=audit(1701738018.424:567): avc:  denied  { read } for  pid=5292 comm="sshd" name="password-auth" dev="vda4" ino=8388824 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
      type=AVC msg=audit(1701738018.425:568): avc:  denied  { read } for  pid=5292 comm="sshd" name="password-auth" dev="vda4" ino=8388824 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
      type=AVC msg=audit(1701738018.425:569): avc:  denied  { read } for  pid=5292 comm="sshd" name="password-auth" dev="vda4" ino=8388824 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
      type=AVC msg=audit(1701738018.425:570): avc:  denied  { read } for  pid=5292 comm="sshd" name="postlogin" dev="vda4" ino=8388828 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0

      Please provide the package NVR for which bug is seen:

      # rpm -qa | egrep "authselect|selinux" | sort
      authselect-1.2.6-1.el9.x86_64
      authselect-compat-1.2.6-1.el9.x86_64
      authselect-libs-1.2.6-1.el9.x86_64
      libselinux-3.5-1.el9.x86_64
      libselinux-utils-3.5-1.el9.x86_64
      python3-libselinux-3.5-1.el9.x86_64
      rpm-plugin-selinux-4.16.1.3-22.el9.x86_64
      selinux-policy-38.1.11-2.el9_2.2.noarch
      selinux-policy-targeted-38.1.11-2.el9_2.2.noarch

      How reproducible:

      100%

      Steps to reproduce

      1. authselect select minimal --force --backup=local_backup
      2. restorecon -Rv /var/lib/authselect/
      3. authselect backup-restore local_backup

      Expected results

      Authentication would not be impacted after restoring authselect profile

      Actual results

      Authentication/login is denied after restoring authselect profile.

            thalman@redhat.com Tomas Halman
            rhn-support-suwu Sunny Wu
            Pavel Brezina Pavel Brezina
            Dan Lavu Dan Lavu
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: