Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-39874: AVC denied in audit.log on RHEL8

Authentication Service ,  

19 August,20 at 09:41 AM

Applies to: Centrify Infrastructure Services on RHEL8 

Problem:
The local user login with password will generate below AVC denied message in /var/log/audit/audit.log on RHEL8 server. On this RHEL8 server Centrify is installed and SELinux is set to enforcing:

3317 type=AVC msg=audit(1581047560.548:2761): avc: denied { map } for pid=4045 comm="unix_chkpwd" path="/etc/centrifydc/centrifydc.conf" dev="dm-0" ino=8881094 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0

Log snippet in centrifydc.log:

Feb 06 03:16:35 rhel8 platform-python[19158]: SELinux is preventing /usr/sbin/unix_chkpwd from map access on the file /etc/centrifydc/centrifydc.conf

Cause:
In RHEL7.6 a new SELinux boolean 'domain_can_mmap_files' was introduced, and default value was 'on' which is changed to 'off' on RHEL8.
The AVC denial is because unix_chkpwd, which is invoked to authenticate load users, fails to do mmap() on centrifydc.conf due to this SELinux change on RHEL8.

Workaround:
Run following command as root user to unblock  
# setsebool -P domain_can_mmap_files 1

Solution:
It will be fixed in Release 2020.

Related Articles

 articleKB-9803: Unable to run adauto.pl on RHEL 5.x with SELinux enabled articleKB-26876: What is the Expected .k5login Security Context? articleKB-10571: RHEL 5.x SELinux module incompatibility articleKB-3241: Unable to change the root password/ 'Authentication token manipulation error' message articleKB-24046: Centrify-sshd does not start on bootup on RHEL8 articleKB-1418: SAP SSO failure with error "Permission denied in replay cache code" articleKB-10577: Get NT_STATUS_ACCESS_DENIED error when try to list files after connecting to samba share articleKB-1570: Access Denied to samba share when 'force user' defined articleKB-1861: SSH fails/Access denied if the shell /bin/bash does not exist