12 February,18 at 12:16 PM
Applies to: All version of Centrify DirectControl on RHEL5.x
Problem:
With SELinux enabled on RHEL5.x, when configuring autofs with the adauto.pl script, SELinux is preventing the script from running and seeing the following denied AVCs entries from the audit log:
type=AVC msg=audit(1516336579.172:327982): avc: denied { ioctl } for pid=30600 comm="perl" path="/var/centrifydc/auto_maps/auto.soft.lck" dev=dm-3 ino=983235 scontext=root:system_r:automount_t:s0 tcontext=root:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1516336579.533:327983): avc: denied { append } for pid=30606 comm="adedit" name="krb5.ccache" dev=dm-0 ino=1803663 scontext=root:system_r:automount_t:s0 tcontext=root:object_r:etc_runtime_t:s0 tclass=file
However, once SELinux is disabled then the script is running properly without any problem.
Cause:
The issue is due to the security content cannot satisfy the SELinux policy and therefore, resulting the denied error as shown above. DirectControl ships integrated SELinux policy to ensure DirectControl works in a SELinux enforced environment. However since there are variations with different RHEL releases, causes the issue above on RHEL 5.x.
Workaround:
Attached adauto.te is the policy source generated from audit.log for adauto.pl.
It specified allowable actions for process of type automount_t.
Attached adauto.pp is the generated policy.
Please run the following command as root:
>semodule -i adauto.pp
Then it should take effect by itself immediately. Once done, please run the adauto.pl script again with SELinux enabled.
This issue only exist on RHEL5 - it works fine on RHEL6 and RHEL7.