| Summary: | avc appears on setting "ldap_tls_cacertdir=/etc/openldap/certs" in sssd.conf | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Kaushik Banerjee <kbanerje> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.0 | CC: | dpal, jhrozek, ksrot, mmalik, nkarandi |
| Target Milestone: | rc | Keywords: | TestBlocker |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.12.1-109.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 10:55:58 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
commit 75611932c49452a95879708bc27c25672ea2bc4f
Author: Miroslav Grepl <mgrepl>
Date: Mon Nov 25 11:13:58 2013 +0100
Fix ldap_read_certs() interface
Hello,
Able to reproduce same issue with sssd-1.11.2-10.el7.x86_64 and selinux-policy-3.12.1-108.el7.noarch, tried following steps.
# cacertdir_rehash /etc/openldap/certs/
# ll /etc/openldap/certs/
total 8
lrwxrwxrwx. 1 root root 10 Dec 9 17:17 111255b6.0 -> cacert.pem
-rw-r--r--. 1 root root 4710 Nov 12 12:26 cacert.pem
From sssd.conf :
[domain/LDAP]
..
..
.
ldap_tls_cacertdir = /etc/openldap/certs
..
.
From /var/log/audit/audit.log :
-----------------------
type=AVC msg=audit(1386589331.566:3530): avc: denied { read } for pid=2244 comm="sssd_be" name="111255b6.0" dev="dm-1" ino=50605447 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:slapd_cert_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1386589331.566:3530): arch=c000003e syscall=4 success=no exit=-13 a0=7ff27a041710 a1=7fff6d8c5650 a2=7fff6d8c5650 a3=2e items=0 ppid=2243 pid=2244 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
------------------------
Issue do not occur if we use "ldap_tls_cacert = /etc/openldap/certs/cacert.pem" in sssd.conf
Niru
The issue you described is slightly different. Comment#0 is related to /etc/openldap/certs directory, while comment#7 is related to a symbolic link inside the /etc/openldap/certs directory. But you are right that both issues should be fixed. commit 42f3bf8833f5ac8080c1f010797bb142f99cfb73
Author: Miroslav Grepl <mgrepl>
Date: Mon Dec 9 21:58:32 2013 +0100
Fix ldap_read_certs() interface to allow acess also link files
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Description of problem: SELinux is preventing /usr/libexec/sssd/sssd_be from read access on the directory /etc/openldap/certs Version-Release number of selected component (if applicable): selinux-policy-3.12.1-99.el7 sssd-1.11.1-2.el7 How reproducible: Always Steps to Reproduce: 1. Setup sssd.conf as follows: [sssd] config_file_version = 2 services = nss, pam domains = LDAPTEST [domain/LDAPTEST] debug_level = 9 id_provider = ldap ldap_uri = ldaps://<ldapserver> ldap_search_base = dc=example,dc=com enumerate = true ldap_tls_cacertdir = /etc/openldap/certs ldap_tls_cacert = /etc/openldap/certs/cacert.asc 2. Start sssd Actual results: Lookup and auth works fine. However, the following avc is seen. SELinux is preventing /usr/libexec/sssd/sssd_be from read access on the directory /etc/openldap/certs. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sssd_be should be allowed read access on the certs directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sssd_be /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:sssd_t:s0 Target Context system_u:object_r:slapd_cert_t:s0 Target Objects /etc/openldap/certs [ dir ] Source sssd_be Source Path /usr/libexec/sssd/sssd_be Port <Unknown> Host dhcp207-191.lab.eng.pnq.redhat.com Source RPM Packages sssd-common-1.11.1-2.el7.x86_64 Target RPM Packages openldap-2.4.35-7.el7.x86_64 Policy RPM selinux-policy-3.12.1-99.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name dhcp207-191.lab.eng.pnq.redhat.com Platform Linux dhcp207-191.lab.eng.pnq.redhat.com 3.10.0-15.el7.x86_64 #1 SMP Fri Aug 30 14:42:21 EDT 2013 x86_64 x86_64 Alert Count 2 First Seen 2013-10-30 13:38:39 IST Last Seen 2013-11-14 14:48:45 IST Local ID 390eb88a-89e3-4f16-b8d0-5a46466cdb14 Raw Audit Messages type=AVC msg=audit(1384420725.562:34932): avc: denied { read } for pid=21263 comm="sssd_be" name="certs" dev="dm-1" ino=217 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir type=SYSCALL msg=audit(1384420725.562:34932): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7f107173fc00 a2=90800 a3=0 items=0 ppid=21262 pid=21263 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sssd_be exe=/usr/libexec/sssd/sssd_be subj=system_u:system_r:sssd_t:s0 key=(null) Hash: sssd_be,sssd_t,slapd_cert_t,dir,read Expected results: Additional info: