Applies to: Centrify Infrastructure Services on RHEL8
Problem:
The local user login with password will generate below AVC denied message in /var/log/audit/audit.log on RHEL8 server
. On this RHEL8 server Centrify is installed and SELinux is set to enforcing:3317 type=AVC msg=audit(1581047560.548:2761): avc: denied { map } for pid=4045 comm="unix_chkpwd" path="/etc/centrifydc/centrifydc.conf" dev="dm-0" ino=8881094 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0Log snippet in centrifydc.log:Feb 06 03:16:35 rhel8 platform-python[19158]: SELinux is preventing /usr/sbin/unix_chkpwd from map access on the file /etc/centrifydc/centrifydc.confCause:
In RHEL7.6 a new SELinux boolean 'domain_can_mmap_files' was introduced, and default value was 'on' which is changed to 'off' on RHEL8.
The AVC denial is because unix_chkpwd, which is invoked to authenticate load users, fails to do mmap() on centrifydc.conf due to this SELinux change on RHEL8.Workaround:Run following command as root user to unblock
# setsebool -P domain_can_mmap_files 1
Solution:
It will be fixed in Release 2020.