During this process, MCU needs to access the /var/opt/quest/home/questusr/.ssh/authorized_keys file via SSH, which is prevented by SELinux since /var is not the usual place for a user home and therefore has a different security context.
A message similar to the following one appears in /var/log/audit/audit.log:
type=AVC msg=audit(1431011295.352:623): avc: denied { read } for pid=9856 comm="sshd" name="authorized_keys" dev="dm-0" ino=33567082 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
Changing the SELinux mode to 'Permissive' will allow this operation (and any other that would be prevented under 'Enforcing' mode), while logging such actions as "denied" in the audit.log file, but it is not recommended since it disables SELinux protection.
A better option is to configure SELinux to allow Privilege Manager set up in 'Enforcing' mode. From the multiple ways to do this, we recommend having the following lines added to the '/etc/selinux/targeted/contexts/files/file_contexts.homedirs' file. Ideally, this should be done before configuring the service account via the MCU, or configuring the policy server using the 'pmsrvconfig' command:
/var/opt/quest/home/questusr(/.*)? unconfined_u:object_r:user_home_t:s0
/var/opt/quest/qpm4u/pmpolicy(/.*)? unconfined_u:object_r:user_home_t:s0
This change causes the questusr and pmpolicy home directories to be created with the security context of a user home, allowing the Primary Policy Server configuration process to succeed. If the service accounts have already been created, you can update the security contexts on the home directories and subsequent files by running the following command:
restorecon -vR /var/opt/quest/
As a side effect, this process may leave the /etc/group file in a wrong context after creating the service accounts, which can cause problems such as the login page freezing after next restart. This is fixed by executing the following command, which restores the group file to its original context:
restorecon -v /etc/group
Any other conflicts that may appear with other functionality or with a different SELinux setup will also be logged in the audit file and can be fixed similarly.
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center