Bug 1284908

Summary:	SELinux prevents snort from communicating with sssd
Product:	Red Hat Enterprise Linux 7	Reporter:	Milos Malik <mmalik>
Component:	selinux-policy	Assignee:	Simon Sekidde <ssekidde>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	7.1	CC:	lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone:	rc
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.13.1-83.el7	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-11-04 02:25:05 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Milos Malik 2015-11-24 12:57:41 UTC

Description of problem:

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-60.el7.noarch
selinux-policy-devel-3.13.1-60.el7.noarch
selinux-policy-doc-3.13.1-60.el7.noarch
selinux-policy-minimum-3.13.1-60.el7.noarch
selinux-policy-mls-3.13.1-60.el7.noarch
selinux-policy-sandbox-3.13.1-60.el7.noarch
selinux-policy-targeted-3.13.1-60.el7.noarch
snort-2.9.7.6-1.x86_64 ( https://www.snort.org/downloads/snort/snort-2.9.7.6-1.centos7.x86_64.rpm )

How reproducible:
always

Steps to Reproduce:
1. get a RHEL-7.2 machine
2. install, configure and start sssd
3. modify /etc/nsswitch.conf
# grep sss /etc/nsswitch.conf
passwd:     sss files
shadow:     sss files
group:      sss files
services:   sss files
netgroup:   sss files
#
4. service snortd start
5. search for AVCs

Actual results (enforcing mode):
----
type=PATH msg=audit(11/24/2015 13:50:24.997:159) : item=0 name=/var/lib/sss/mc/group objtype=UNKNOWN 
type=CWD msg=audit(11/24/2015 13:50:24.997:159) :  cwd=/var/log/snort 
type=SYSCALL msg=audit(11/24/2015 13:50:24.997:159) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x1b50670 a1=O_RDONLY|O_CLOEXEC a2=0x7fff15cb42f4 a3=0x5 items=1 ppid=3164 pid=3166 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=snort exe=/usr/sbin/snort-plain subj=system_u:system_r:snort_t:s0 key=(null) 
type=AVC msg=audit(11/24/2015 13:50:24.997:159) : avc:  denied  { search } for  pid=3166 comm=snort name=sss dev="vda3" ino=34398191 scontext=system_u:system_r:snort_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir 
----

Actual results (permissive mode):
----
type=PATH msg=audit(11/24/2015 13:56:10.914:183) : item=0 name=/var/lib/sss/mc/passwd inode=17910943 dev=fd:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_public_t:s0 objtype=NORMAL 
type=CWD msg=audit(11/24/2015 13:56:10.914:183) :  cwd=/var/log/snort 
type=SYSCALL msg=audit(11/24/2015 13:56:10.914:183) : arch=x86_64 syscall=open success=yes exit=3 a0=0x2d73690 a1=O_RDONLY|O_CLOEXEC a2=0x7ffc668f2c54 a3=0x7ffc668f2990 items=1 ppid=4066 pid=4068 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=snort exe=/usr/sbin/snort-plain subj=system_u:system_r:snort_t:s0 key=(null) 
type=AVC msg=audit(11/24/2015 13:56:10.914:183) : avc:  denied  { open } for  pid=4068 comm=snort path=/var/lib/sss/mc/passwd dev="vda3" ino=17910943 scontext=system_u:system_r:snort_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file 
type=AVC msg=audit(11/24/2015 13:56:10.914:183) : avc:  denied  { read } for  pid=4068 comm=snort name=passwd dev="vda3" ino=17910943 scontext=system_u:system_r:snort_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file 
----
type=SYSCALL msg=audit(11/24/2015 13:56:10.917:184) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x3 a1=0x7ffc668f2c60 a2=0x7ffc668f2c60 a3=0x7ffc668f29c0 items=0 ppid=4066 pid=4068 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=snort exe=/usr/sbin/snort-plain subj=system_u:system_r:snort_t:s0 key=(null) 
type=AVC msg=audit(11/24/2015 13:56:10.917:184) : avc:  denied  { getattr } for  pid=4068 comm=snort path=/var/lib/sss/mc/passwd dev="vda3" ino=17910943 scontext=system_u:system_r:snort_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file 
----
type=PATH msg=audit(11/24/2015 13:56:10.917:185) : item=0 name=/var/lib/sss/pipes/nss inode=34398178 dev=fd:03 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_var_lib_t:s0 objtype=NORMAL 
type=CWD msg=audit(11/24/2015 13:56:10.917:185) :  cwd=/var/log/snort 
type=SOCKADDR msg=audit(11/24/2015 13:56:10.917:185) : saddr=local /var/lib/sss/pipes/nss 
type=SYSCALL msg=audit(11/24/2015 13:56:10.917:185) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x4 a1=0x7ffc668f2c20 a2=0x6e a3=0x7ffc668f2940 items=1 ppid=4066 pid=4068 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=snort exe=/usr/sbin/snort-plain subj=system_u:system_r:snort_t:s0 key=(null) 
type=AVC msg=audit(11/24/2015 13:56:10.917:185) : avc:  denied  { write } for  pid=4068 comm=snort name=nss dev="vda3" ino=34398178 scontext=system_u:system_r:snort_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file 
----

Comment 5 errata-xmlrpc 2016-11-04 02:25:05 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html