Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-9803: Unable to run adauto.pl on RHEL 5.x with SELinux enabled

Authentication Service ,  

12 February,18 at 12:16 PM

Applies to: All version of Centrify DirectControl on RHEL5.x
 
Problem:

With SELinux enabled on RHEL5.x, when configuring autofs with the adauto.pl script, SELinux is preventing the script from running and seeing the following denied AVCs entries from the audit log:

type=AVC msg=audit(1516336579.172:327982): avc: denied { ioctl } for pid=30600 comm="perl" path="/var/centrifydc/auto_maps/auto.soft.lck" dev=dm-3 ino=983235 scontext=root:system_r:automount_t:s0 tcontext=root:object_r:var_t:s0 tclass=file

type=AVC msg=audit(1516336579.533:327983): avc: denied { append } for pid=30606 comm="adedit" name="krb5.ccache" dev=dm-0 ino=1803663 scontext=root:system_r:automount_t:s0 tcontext=root:object_r:etc_runtime_t:s0 tclass=file

However, once SELinux is disabled then the script is running properly without any problem.
 
Cause:

The issue is due to the security content cannot satisfy the SELinux policy and therefore, resulting the denied error as shown above. DirectControl ships integrated SELinux policy to ensure DirectControl works in a SELinux enforced environment. However since there are variations with different RHEL releases, causes the issue above on RHEL 5.x.

Workaround:

Attached adauto.te is the policy source generated from audit.log for adauto.pl.
It specified allowable actions for process of type automount_t.

Attached adauto.pp is the generated policy.
Please run the following command as root:

>semodule -i adauto.pp

Then it should take effect by itself immediately. Once done, please run the adauto.pl script again with SELinux enabled.
This issue only exist on RHEL5 - it works fine on RHEL6 and RHEL7.

Attachments:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.