SELinux does not allow to change the password or a computer account in Active Directory for an UNAB endpoint
search cancel

SELinux does not allow to change the password or a computer account in Active Directory for an UNAB endpoint

book

Article ID: 261812

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

An endpoint has been set through UNAB so that it is able to  change its password in Active Directory

Despite this, there are messages in the agent_debug indicating that this fails

20230307083351.164587 T3581747200 L 1: uxauthd: Failed to reset the endpoint's password in AD.

And when checking the audit log inside the /var/log/audit directory, it points towards the SELinux policies not allowing the operation to complete properly

[root@xxxxxxxxxx ~]# cat /var/log/audit/audit.log | grep denied | grep ux | tail -5 | while read line; do    time=`echo $line | sed 's/.*audit(\([0-9]*\).*/\1/'`;    echo `date -d @$time` $line; done
Tue Mar 7 08:33:50 CET 2023 type=AVC msg=audit(1678174430.158:146956): avc: denied { name_connect } for pid=954136 comm="uxauthd" dest=464 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kerberos_password_port_t:s0 tclass=tcp_socket permissive=0
Tue Mar 7 08:33:51 CET 2023 type=AVC msg=audit(1678174431.161:146957): avc: denied { name_connect } for pid=954136 comm="uxauthd" dest=464 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kerberos_password_port_t:s0 tclass=tcp_socket permissive=0
Tue Mar 7 08:33:51 CET 2023 type=AVC msg=audit(1678174431.162:146958): avc: denied { name_connect } for pid=954136 comm="uxauthd" dest=464 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kerberos_password_port_t:s0 tclass=tcp_socket permissive=0
Tue Mar 7 08:33:51 CET 2023 type=AVC msg=audit(1678174431.162:146959): avc: denied { name_connect } for pid=954136 comm="uxauthd" dest=464 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kerberos_password_port_t:s0 tclass=tcp_socket permissive=0
Tue Mar 7 08:33:51 CET 2023 type=AVC msg=audit(1678174431.163:146960): avc: denied { name_connect } for pid=954136 comm="uxauthd" dest=464 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kerberos_password_port_t:s0 tclass=tcp_socket permissive=0

Environment

Release : 14.10.50.61

Cause

This problem exists in all version prior to 14.10.50.70 due to an outdated selinux.sh configuration policy

Resolution

Please upgrade UNAB to version 14.10.40.70 or later