Bug 1160334

Summary: SELinux denies execute, read and search for sssd_be
Product: Red Hat Enterprise Linux 7 Reporter: David Spurek <dspurek>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: arubin, dspurek, ebenes, grajaiya, jgalipea, jhrozek, lslebodn, lvrabec, mgrepl, mkosek, mmalik, mvadkert, pbrezina, pkis, plautrba, preichl, pvrabec
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-18 10:52:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 717785    

Description David Spurek 2014-11-04 15:06:35 UTC 
Description of problem:
time->Sat Nov  1 22:22:15 2014
type=SYSCALL msg=audit(1414894935.837:159): arch=80000016 syscall=33 success=no exit=-13 a0=3fff5e1d8c8 a1=1 a2=3fff5e1807a a3=2ab154da910 items=0 ppid=51209 pid=51210 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1414894935.837:159): avc:  denied  { execute } for  pid=51210 comm="sssd_be" name="load_policy" dev="dm-0" ino=68153247 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:load_policy_exec_t:s0 tclass=file
----
time->Sat Nov  1 22:22:15 2014
type=SYSCALL msg=audit(1414894935.837:160): arch=80000016 syscall=33 success=no exit=-13 a0=3fff5e1d8de a1=1 a2=3fff5e180de a3=2ab15527600 items=0 ppid=51209 pid=51210 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1414894935.837:160): avc:  denied  { execute } for  pid=51210 comm="sssd_be" name="setfiles" dev="dm-0" ino=68153251 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file
----
time->Sat Nov  1 22:22:15 2014
type=SYSCALL msg=audit(1414894935.837:161): arch=80000016 syscall=33 success=no exit=-13 a0=2ab15528420 a1=5 a2=0 a3=0 items=0 ppid=51209 pid=51210 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1414894935.837:161): avc:  denied  { read search } for  pid=51210 comm="sssd_be" name="active" dev="dm-0" ino=101680616 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:semanage_store_t:s0 tclass=dir
Fail: AVC messages found.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-6.el7

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Miroslav Grepl 2014-11-05 09:24:02 UTC 
What does sssd_be do here?
Comment 3 Jakub Hrozek 2014-11-05 09:31:46 UTC 
Can you help me descrypt the AVC denials? I don't see what files were touched by sssd_be..
Comment 4 Miroslav Grepl 2014-11-05 11:17:56 UTC 
Sure.

type=AVC msg=audit(1414894935.837:160): avc:  denied  { execute } for  pid=51210 comm="sssd_be" name="setfiles" dev="dm-0" ino=68153251 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file

tell us "sssd_be" executes setfiles(maybe in restorecon mode) directly.
Comment 5 Jakub Hrozek 2014-11-05 12:25:36 UTC 
I'm not aware of us calling setfiles, ever ...

David, how do you reproduce this problem?
Comment 6 David Spurek 2014-11-05 12:41:52 UTC 
I run authconfig --enableipav2 which calls ipa-client-install + authconfig command that sets sss in nsswitch and in pam
Comment 7 Jakub Hrozek 2014-11-05 12:45:19 UTC 
I still have no idea how that could trigger sssd_be calling setfiles?
Comment 11 Jakub Hrozek 2014-11-05 17:45:54 UTC 
Here what's going on -- in 7.1, we switched from writing out logins into the /etc/selinux/targeted/logins directory to using semanage. I guess selinux-policy doesn't like that.

However, there is one more change coming up -- the call to semanage will not be done from the sssd_be process, but from a new selinux_child process. The selinux_child patches are still pending on review on sssd-devel.

So if you're blocked, you can change selinux-policy now to allow sssd_be to call semanage, but we'll request another change when we merge the selinux_child patches.
Comment 12 Jakub Hrozek 2014-11-06 13:12:05 UTC 
sssd-1.12.2-9.el7 has all the selinux related changes in.

There is a new binary, called selinux_child that performs the SELinux context switch. This binary needs to be allowed to call functions like sss_semanage_user_mod.
Comment 13 Miroslav Grepl 2014-11-06 14:16:31 UTC 
David,
did everything work correctly?
Comment 14 Miroslav Grepl 2014-11-06 14:17:23 UTC 
We have selinux-policy bug for this issue

#1140106
Comment 15 Miroslav Grepl 2014-11-06 14:22:39 UTC 
(In reply to Jakub Hrozek from comment #12)
> sssd-1.12.2-9.el7 has all the selinux related changes in.
> 
> There is a new binary, called selinux_child that performs the SELinux
> context switch. This binary needs to be allowed to call functions like
> sss_semanage_user_mod.

So we will need to add labeling for this binary.
Comment 16 David Spurek 2014-11-07 08:11:14 UTC 
It seems that everything work correctly. ipa-client-install successfully configured a machine and I was able to get information about users in IPA server and log as user from IPA.
Comment 17 Ann Marie Rubin 2014-11-14 17:46:47 UTC 
Can this bug be closed?
Comment 18 Miroslav Grepl 2014-11-18 10:52:00 UTC 

*** This bug has been marked as a duplicate of bug 1140106 ***