Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1030273

Summary: avc appears on setting "ldap_tls_cacertdir=/etc/openldap/certs" in sssd.conf
Product: Red Hat Enterprise Linux 7 Reporter: Kaushik Banerjee <kbanerje>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 7.0CC: dpal, jhrozek, ksrot, mmalik, nkarandi
Target Milestone: rcKeywords: TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-109.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 10:55:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kaushik Banerjee 2013-11-14 09:27:26 UTC 
Description of problem:
SELinux is preventing /usr/libexec/sssd/sssd_be from read access on the directory /etc/openldap/certs

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-99.el7
sssd-1.11.1-2.el7

How reproducible:
Always

Steps to Reproduce:
1. Setup sssd.conf as follows:
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAPTEST

[domain/LDAPTEST]
debug_level = 9
id_provider = ldap
ldap_uri = ldaps://<ldapserver>
ldap_search_base = dc=example,dc=com
enumerate = true
ldap_tls_cacertdir = /etc/openldap/certs
ldap_tls_cacert = /etc/openldap/certs/cacert.asc


2. Start sssd

Actual results:
Lookup and auth works fine. However, the following avc is seen.

SELinux is preventing /usr/libexec/sssd/sssd_be from read access on the directory /etc/openldap/certs.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sssd_be should be allowed read access on the certs directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sssd_be /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:sssd_t:s0
Target Context                system_u:object_r:slapd_cert_t:s0
Target Objects                /etc/openldap/certs [ dir ]
Source                        sssd_be
Source Path                   /usr/libexec/sssd/sssd_be
Port                          <Unknown>
Host                          dhcp207-191.lab.eng.pnq.redhat.com
Source RPM Packages           sssd-common-1.11.1-2.el7.x86_64
Target RPM Packages           openldap-2.4.35-7.el7.x86_64
Policy RPM                    selinux-policy-3.12.1-99.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dhcp207-191.lab.eng.pnq.redhat.com
Platform                      Linux dhcp207-191.lab.eng.pnq.redhat.com
                              3.10.0-15.el7.x86_64 #1 SMP Fri Aug 30 14:42:21
                              EDT 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-10-30 13:38:39 IST
Last Seen                     2013-11-14 14:48:45 IST
Local ID                      390eb88a-89e3-4f16-b8d0-5a46466cdb14

Raw Audit Messages
type=AVC msg=audit(1384420725.562:34932): avc:  denied  { read } for  pid=21263 comm="sssd_be" name="certs" dev="dm-1" ino=217 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir


type=SYSCALL msg=audit(1384420725.562:34932): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7f107173fc00 a2=90800 a3=0 items=0 ppid=21262 pid=21263 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sssd_be exe=/usr/libexec/sssd/sssd_be subj=system_u:system_r:sssd_t:s0 key=(null)

Hash: sssd_be,sssd_t,slapd_cert_t,dir,read


Expected results:


Additional info:
Comment 4 Miroslav Grepl 2013-11-25 10:14:25 UTC 
commit 75611932c49452a95879708bc27c25672ea2bc4f
Author: Miroslav Grepl <mgrepl>
Date:   Mon Nov 25 11:13:58 2013 +0100

    Fix ldap_read_certs() interface
Comment 7 Nirupama Karandikar 2013-12-09 11:53:09 UTC 
Hello,

Able to reproduce same issue with sssd-1.11.2-10.el7.x86_64 and selinux-policy-3.12.1-108.el7.noarch, tried following steps.

# cacertdir_rehash /etc/openldap/certs/

# ll /etc/openldap/certs/
total 8
lrwxrwxrwx. 1 root root   10 Dec  9 17:17 111255b6.0 -> cacert.pem
-rw-r--r--. 1 root root 4710 Nov 12 12:26 cacert.pem

From sssd.conf :
[domain/LDAP]
..
..
.
ldap_tls_cacertdir = /etc/openldap/certs
..
.

From /var/log/audit/audit.log :

-----------------------
type=AVC msg=audit(1386589331.566:3530): avc:  denied  { read } for  pid=2244 comm="sssd_be" name="111255b6.0" dev="dm-1" ino=50605447 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:slapd_cert_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1386589331.566:3530): arch=c000003e syscall=4 success=no exit=-13 a0=7ff27a041710 a1=7fff6d8c5650 a2=7fff6d8c5650 a3=2e items=0 ppid=2243 pid=2244 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
------------------------

Issue do not occur if we use "ldap_tls_cacert = /etc/openldap/certs/cacert.pem" in sssd.conf

Niru
Comment 8 Milos Malik 2013-12-09 12:26:11 UTC 
The issue you described is slightly different. Comment#0 is related to /etc/openldap/certs directory, while comment#7 is related to a symbolic link inside the /etc/openldap/certs directory. But you are right that both issues should be fixed.
Comment 9 Miroslav Grepl 2013-12-09 20:59:16 UTC 
commit 42f3bf8833f5ac8080c1f010797bb142f99cfb73
Author: Miroslav Grepl <mgrepl>
Date:   Mon Dec 9 21:58:32 2013 +0100

    Fix ldap_read_certs() interface to allow acess also link files
Comment 11 Ludek Smid 2014-06-13 10:55:58 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.