Bug 1160334
Summary: | SELinux denies execute, read and search for sssd_be | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | David Spurek <dspurek> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | CC: | arubin, dspurek, ebenes, grajaiya, jgalipea, jhrozek, lslebodn, lvrabec, mgrepl, mkosek, mmalik, mvadkert, pbrezina, pkis, plautrba, preichl, pvrabec |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-11-18 10:52:00 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 717785 |
Description
David Spurek
2014-11-04 15:06:35 UTC
What does sssd_be do here? Can you help me descrypt the AVC denials? I don't see what files were touched by sssd_be.. Sure. type=AVC msg=audit(1414894935.837:160): avc: denied { execute } for pid=51210 comm="sssd_be" name="setfiles" dev="dm-0" ino=68153251 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file tell us "sssd_be" executes setfiles(maybe in restorecon mode) directly. I'm not aware of us calling setfiles, ever ... David, how do you reproduce this problem? I run authconfig --enableipav2 which calls ipa-client-install + authconfig command that sets sss in nsswitch and in pam I still have no idea how that could trigger sssd_be calling setfiles? Here what's going on -- in 7.1, we switched from writing out logins into the /etc/selinux/targeted/logins directory to using semanage. I guess selinux-policy doesn't like that. However, there is one more change coming up -- the call to semanage will not be done from the sssd_be process, but from a new selinux_child process. The selinux_child patches are still pending on review on sssd-devel. So if you're blocked, you can change selinux-policy now to allow sssd_be to call semanage, but we'll request another change when we merge the selinux_child patches. sssd-1.12.2-9.el7 has all the selinux related changes in. There is a new binary, called selinux_child that performs the SELinux context switch. This binary needs to be allowed to call functions like sss_semanage_user_mod. David, did everything work correctly? We have selinux-policy bug for this issue #1140106 (In reply to Jakub Hrozek from comment #12) > sssd-1.12.2-9.el7 has all the selinux related changes in. > > There is a new binary, called selinux_child that performs the SELinux > context switch. This binary needs to be allowed to call functions like > sss_semanage_user_mod. So we will need to add labeling for this binary. It seems that everything work correctly. ipa-client-install successfully configured a machine and I was able to get information about users in IPA server and log as user from IPA. Can this bug be closed? *** This bug has been marked as a duplicate of bug 1140106 *** |