Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-39874: AVC denied in audit.log on RHEL8

Authentication Service ,  

19 August,20 at 09:41 AM

Applies to: Centrify Infrastructure Services on RHEL8 

Problem:
The local user login with password will generate below AVC denied message in
/var/log/audit/audit.log on RHEL8 server. On this RHEL8 server Centrify is installed and SELinux is set to enforcing:

3317 type=AVC msg=audit(1581047560.548:2761): avc: denied { map } for pid=4045 comm="unix_chkpwd" path="/etc/centrifydc/centrifydc.conf" dev="dm-0" ino=8881094 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0

Log snippet in centrifydc.log:

Feb 06 03:16:35 rhel8 platform-python[19158]: SELinux is preventing /usr/sbin/unix_chkpwd from map access on the file /etc/centrifydc/centrifydc.conf

Cause:
In RHEL7.6 a new SELinux boolean '
domain_can_mmap_files' was introduced, and default value was 'on' which is changed to 'off' on RHEL8.
The AVC denial is because unix_chkpwd, which is invoked to authenticate load users, fails to do mmap() on centrifydc.conf due to this SELinux change on RHEL8.


Workaround:
Run following command as root user to unblock 
# setsebool -P domain_can_mmap_files 1

Solution:
It will be fixed in Release 2020.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.