Bug 1373265

Summary: sssd need write access to /etc/sssd/
Product: Red Hat Enterprise Linux 7 Reporter: Patrik Kis <pkis>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED NOTABUG QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: lslebodn, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-13 09:44:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrik Kis 2016-09-05 15:58:17 UTC 
Description of problem:
type=SYSCALL msg=audit(09/05/2016 11:43:50.109:373) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f775c0aa1ba a1=O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW a2=0600 a3=0x30733a745f666e6f items=0 ppid=1 pid=17609 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/05/2016 11:43:50.109:373) : avc:  denied  { write } for  pid=17609 comm=sssd name=sssd dev="dm-0" ino=51240645 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=dir 

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-96.el7.noarch

How reproducible:
always

Steps to Reproduce:
# ipa-client-install --uninstall
Comment 1 Patrik Kis 2016-09-06 07:22:54 UTC 
A few more AVC denial appeared in permissive mode:

----
type=SYSCALL msg=audit(09/06/2016 03:18:12.063:438) : arch=x86_64 syscall=open success=yes exit=6 a0=0x7f9078cf61ba a1=O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW a2=0600 a3=0x30733a745f666e6f items=0 ppid=1 pid=16303 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:18:12.063:438) : avc:  denied  { write } for  pid=16303 comm=sssd path=/etc/sssd/sssd.conf dev="dm-0" ino=101340868 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
type=AVC msg=audit(09/06/2016 03:18:12.063:438) : avc:  denied  { create } for  pid=16303 comm=sssd name=sssd.conf scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
type=AVC msg=audit(09/06/2016 03:18:12.063:438) : avc:  denied  { add_name } for  pid=16303 comm=sssd name=sssd.conf scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=dir 
type=AVC msg=audit(09/06/2016 03:18:12.063:438) : avc:  denied  { write } for  pid=16303 comm=sssd name=sssd dev="dm-0" ino=101108507 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(09/06/2016 03:18:12.073:439) : arch=x86_64 syscall=fchown success=yes exit=0 a0=0x6 a1=0x0 a2=0x0 a3=0x7ffde293f570 items=0 ppid=1 pid=16303 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:18:12.073:439) : avc:  denied  { setattr } for  pid=16303 comm=sssd name=sssd.conf dev="dm-0" ino=101340868 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(09/06/2016 03:18:12.746:440) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x10 a1=0x7ffde293fa20 a2=0x29 a3=0x7ffde293f780 items=0 ppid=16303 pid=16304 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:18:12.746:440) : avc:  denied  { create } for  pid=16304 comm=sssd name=sbus-monitor scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=sock_file 
----
type=SYSCALL msg=audit(09/06/2016 03:18:12.747:441) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x7f9079e31db0 a1=0777 a2=0x1 a3=0x7ffde293f780 items=0 ppid=16303 pid=16304 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:18:12.747:441) : avc:  denied  { setattr } for  pid=16304 comm=sssd name=sbus-monitor dev="dm-0" ino=33605410 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=sock_file 
----
type=SYSCALL msg=audit(09/06/2016 03:18:12.747:442) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x7f9079e2e2ba a1=0x7ffde293fdb0 a2=0x7ffde293fdb0 a3=0x7ffde293f9d0 items=0 ppid=16303 pid=16304 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:18:12.747:442) : avc:  denied  { getattr } for  pid=16304 comm=sssd path=/var/lib/sss/pipes/private/sbus-monitor dev="dm-0" ino=33605410 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=sock_file 
----
type=SYSCALL msg=audit(09/06/2016 03:18:12.756:443) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x11 a1=0x7fff6536e710 a2=0x29 a3=0x7fff6536e480 items=0 ppid=16304 pid=16305 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_be exe=/usr/libexec/sssd/sssd_be subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:18:12.756:443) : avc:  denied  { write } for  pid=16305 comm=sssd_be name=sbus-monitor dev="dm-0" ino=33605410 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=sock_file 
----
type=SYSCALL msg=audit(09/06/2016 03:19:23.916:451) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x7f9078cf53cf a1=0x7ffde293fc44 a2=0xfffffffffffffe50 a3=0x0 items=0 ppid=1 pid=16304 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:19:23.916:451) : avc:  denied  { unlink } for  pid=16304 comm=sssd name=sssd.pid dev="tmpfs" ino=92615 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(09/06/2016 03:19:23.916:452) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x7f9079e251d0 a1=0x0 a2=0x2f a3=0x7ffde293f7a0 items=0 ppid=1 pid=16304 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:19:23.916:452) : avc:  denied  { unlink } for  pid=16304 comm=sssd name=sbus-monitor dev="dm-0" ino=33605410 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=sock_file 
----
type=SYSCALL msg=audit(09/06/2016 03:19:24.012:455) : arch=x86_64 syscall=open success=yes exit=13 a0=0x7f1b614b2cf0 a1=O_RDWR|O_CREAT a2=0666 a3=0x3 items=0 ppid=16473 pid=16474 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:19:24.012:455) : avc:  denied  { write } for  pid=16474 comm=sssd name=sssd.ldb dev="dm-0" ino=33605407 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(09/06/2016 03:19:24.012:456) : arch=x86_64 syscall=chown success=yes exit=0 a0=0x7f1b614b32b0 a1=root a2=root a3=0x7ffebf42d390 items=0 ppid=16473 pid=16474 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:19:24.012:456) : avc:  denied  { setattr } for  pid=16474 comm=sssd name=cache_shadowutils.ldb dev="dm-0" ino=33605408 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(09/06/2016 03:19:25.104:463) : arch=x86_64 syscall=open success=yes exit=13 a0=0x7f575f12dbf0 a1=O_RDWR|O_CREAT a2=0666 a3=0x3 items=0 ppid=16559 pid=16560 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:19:25.104:463) : avc:  denied  { write } for  pid=16560 comm=sssd name=sssd.ldb dev="dm-0" ino=33605407 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(09/06/2016 03:19:25.104:464) : arch=x86_64 syscall=chown success=yes exit=0 a0=0x7f575f12e260 a1=root a2=root a3=0x7ffe0b83e860 items=0 ppid=16559 pid=16560 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:19:25.104:464) : avc:  denied  { setattr } for  pid=16560 comm=sssd name=cache_shadowutils.ldb dev="dm-0" ino=33605408 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(09/06/2016 03:20:24.960:474) : arch=x86_64 syscall=open success=yes exit=13 a0=0x7f4108c127c0 a1=O_RDWR|O_CREAT a2=0666 a3=0x3 items=0 ppid=16836 pid=16837 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:20:24.960:474) : avc:  denied  { write } for  pid=16837 comm=sssd name=sssd.ldb dev="dm-0" ino=33605407 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(09/06/2016 03:20:24.960:475) : arch=x86_64 syscall=chown success=yes exit=0 a0=0x7f4108c12eb0 a1=root a2=root a3=0x7ffceb0a6830 items=0 ppid=16836 pid=16837 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:20:24.960:475) : avc:  denied  { setattr } for  pid=16837 comm=sssd name=cache_shadowutils.ldb dev="dm-0" ino=33605408 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file
Comment 3 Lukas Slebodnik 2016-09-06 07:39:26 UTC 
(In reply to Patrik Kis from comment #1)
> A few more AVC denial appeared in permissive mode:
> 
> ----
> type=SYSCALL msg=audit(09/06/2016 03:18:12.063:438) : arch=x86_64
> syscall=open success=yes exit=6 a0=0x7f9078cf61ba
> a1=O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW a2=0600 a3=0x30733a745f666e6f items=0
> ppid=1 pid=16303 auid=unset uid=root gid=root euid=root suid=root fsuid=root
> egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd
> exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
> type=AVC msg=audit(09/06/2016 03:18:12.063:438) : avc:  denied  { write }
> for  pid=16303 comm=sssd path=/etc/sssd/sssd.conf dev="dm-0" ino=101340868
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
> type=AVC msg=audit(09/06/2016 03:18:12.063:438) : avc:  denied  { create }
> for  pid=16303 comm=sssd name=sssd.conf scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
> type=AVC msg=audit(09/06/2016 03:18:12.063:438) : avc:  denied  { add_name }
> for  pid=16303 comm=sssd name=sssd.conf scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=dir 
> type=AVC msg=audit(09/06/2016 03:18:12.063:438) : avc:  denied  { write }
> for  pid=16303 comm=sssd name=sssd dev="dm-0" ino=101108507
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=dir 
> ----
> type=SYSCALL msg=audit(09/06/2016 03:18:12.073:439) : arch=x86_64
> syscall=fchown success=yes exit=0 a0=0x6 a1=0x0 a2=0x0 a3=0x7ffde293f570
> items=0 ppid=1 pid=16303 auid=unset uid=root gid=root euid=root suid=root
> fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd
> exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
> type=AVC msg=audit(09/06/2016 03:18:12.073:439) : avc:  denied  { setattr }
> for  pid=16303 comm=sssd name=sssd.conf dev="dm-0" ino=101340868
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
> ----
It is caused by copying default config /usr/lib64/sssd/conf/sssd.conf 
if /etc/sssd/sssd.conf does not exist.

> type=SYSCALL msg=audit(09/06/2016 03:18:12.746:440) : arch=x86_64
> syscall=bind success=yes exit=0 a0=0x10 a1=0x7ffde293fa20 a2=0x29
> a3=0x7ffde293f780 items=0 ppid=16303 pid=16304 auid=unset uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
> ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0
> key=(null) 
> type=AVC msg=audit(09/06/2016 03:18:12.746:440) : avc:  denied  { create }
> for  pid=16304 comm=sssd name=sbus-monitor
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=sock_file
> ----
> type=SYSCALL msg=audit(09/06/2016 03:18:12.747:441) : arch=x86_64
> syscall=chmod success=yes exit=0 a0=0x7f9079e31db0 a1=0777 a2=0x1
> a3=0x7ffde293f780 items=0 ppid=16303 pid=16304 auid=unset uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
> ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0
> key=(null) 
> type=AVC msg=audit(09/06/2016 03:18:12.747:441) : avc:  denied  { setattr }
> for  pid=16304 comm=sssd name=sbus-monitor dev="dm-0" ino=33605410
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=sock_file 
> ----
> type=SYSCALL msg=audit(09/06/2016 03:18:12.747:442) : arch=x86_64
> syscall=stat success=yes exit=0 a0=0x7f9079e2e2ba a1=0x7ffde293fdb0
> a2=0x7ffde293fdb0 a3=0x7ffde293f9d0 items=0 ppid=16303 pid=16304 auid=unset
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd
> subj=system_u:system_r:sssd_t:s0 key=(null) 
> type=AVC msg=audit(09/06/2016 03:18:12.747:442) : avc:  denied  { getattr }
> for  pid=16304 comm=sssd path=/var/lib/sss/pipes/private/sbus-monitor
> dev="dm-0" ino=33605410 scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=sock_file 
> ----
> type=SYSCALL msg=audit(09/06/2016 03:18:12.756:443) : arch=x86_64
> syscall=connect success=yes exit=0 a0=0x11 a1=0x7fff6536e710 a2=0x29
> a3=0x7fff6536e480 items=0 ppid=16304 pid=16305 auid=unset uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
> ses=unset comm=sssd_be exe=/usr/libexec/sssd/sssd_be
> subj=system_u:system_r:sssd_t:s0 key=(null) 
> type=AVC msg=audit(09/06/2016 03:18:12.756:443) : avc:  denied  { write }
> for  pid=16305 comm=sssd_be name=sbus-monitor dev="dm-0" ino=33605410
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=sock_file
Previous seems to be related to /var/lib/sss/pipes/private/sbus-monitor
But I do not understand why tcontext is system_u:object_r:sssd_conf_t:s0.


> ----
> type=SYSCALL msg=audit(09/06/2016 03:19:23.916:451) : arch=x86_64
> syscall=unlink success=yes exit=0 a0=0x7f9078cf53cf a1=0x7ffde293fc44
> a2=0xfffffffffffffe50 a3=0x0 items=0 ppid=1 pid=16304 auid=unset uid=root
> gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
> tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd
> subj=system_u:system_r:sssd_t:s0 key=(null) 
> type=AVC msg=audit(09/06/2016 03:19:23.916:451) : avc:  denied  { unlink }
> for  pid=16304 comm=sssd name=sssd.pid dev="tmpfs" ino=92615
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
> ----


> type=SYSCALL msg=audit(09/06/2016 03:19:23.916:452) : arch=x86_64
> syscall=unlink success=yes exit=0 a0=0x7f9079e251d0 a1=0x0 a2=0x2f
> a3=0x7ffde293f7a0 items=0 ppid=1 pid=16304 auid=unset uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
> ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0
> key=(null) 
> type=AVC msg=audit(09/06/2016 03:19:23.916:452) : avc:  denied  { unlink }
> for  pid=16304 comm=sssd name=sbus-monitor dev="dm-0" ino=33605410
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=sock_file 
> ----
> type=SYSCALL msg=audit(09/06/2016 03:19:24.012:455) : arch=x86_64
> syscall=open success=yes exit=13 a0=0x7f1b614b2cf0 a1=O_RDWR|O_CREAT a2=0666
> a3=0x3 items=0 ppid=16473 pid=16474 auid=unset uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
> comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
> type=AVC msg=audit(09/06/2016 03:19:24.012:455) : avc:  denied  { write }
> for  pid=16474 comm=sssd name=sssd.ldb dev="dm-0" ino=33605407
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
> ----
> type=SYSCALL msg=audit(09/06/2016 03:19:24.012:456) : arch=x86_64
> syscall=chown success=yes exit=0 a0=0x7f1b614b32b0 a1=root a2=root
> a3=0x7ffebf42d390 items=0 ppid=16473 pid=16474 auid=unset uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
> ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0
> key=(null) 
> type=AVC msg=audit(09/06/2016 03:19:24.012:456) : avc:  denied  { setattr }
> for  pid=16474 comm=sssd name=cache_shadowutils.ldb dev="dm-0" ino=33605408
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 

cache_shadowutils.ldb says that default configuration was used.
But I do not understand why there is a wrong SELinux context there.
Comment 4 Milos Malik 2016-09-06 07:52:15 UTC 
It's weird that /var/lib/sss/pipes/private/sbus-monitor is labeled sssd_conf_t. And sssd.pid should not be labeled sssd_conf_t.
Comment 5 Lukas Slebodnik 2016-09-08 11:17:02 UTC 
Just for your information.
The feature of copying default sssd.conf (/usr/lib64/sssd/conf/sssd.conf)
was reverted for rhel7.3 in sssd-1.14.0-36.el7
Comment 6 Patrik Kis 2016-09-20 09:04:16 UTC 
A new AVC denial appeared:

type=SYSCALL msg=audit(1473934873.287:1068): arch=c0000015 syscall=40 success=no exit=-13 a0=3fffc7d6ad88 a1=0 a2=3fff87d90fd0 a3=0 items=0 ppid=29209 pid=29496 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="selinux_child" exe="/usr/libexec/sssd/selinux_child" subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)
type=AVC msg=audit(1473934873.287:1068): avc:  denied  { rmdir } for  pid=29496 comm="selinux_child" name="contexts" dev="dm-0" ino=101862232 scontext=system_u:system_r:sssd_selinux_manager_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir
Comment 8 Lukas Slebodnik 2016-09-20 09:57:02 UTC 
(In reply to Patrik Kis from comment #6)
> A new AVC denial appeared:
> 
> type=SYSCALL msg=audit(1473934873.287:1068): arch=c0000015 syscall=40
> success=no exit=-13 a0=3fffc7d6ad88 a1=0 a2=3fff87d90fd0 a3=0 items=0
> ppid=29209 pid=29496 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="selinux_child"
> exe="/usr/libexec/sssd/selinux_child"
> subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)
> type=AVC msg=audit(1473934873.287:1068): avc:  denied  { rmdir } for 
> pid=29496 comm="selinux_child" name="contexts" dev="dm-0" ino=101862232
> scontext=system_u:system_r:sssd_selinux_manager_t:s0
> tcontext=system_u:object_r:default_context_t:s0 tclass=dir

This is unrelated to this this BZ; file a new one.
Comment 9 Patrik Kis 2016-09-21 13:47:58 UTC 
(In reply to Lukas Slebodnik from comment #8)
> (In reply to Patrik Kis from comment #6)
> 
> This is unrelated to this this BZ; file a new one.

Right. See bug 1378108.
Comment 10 Lukas Slebodnik 2017-02-07 14:26:10 UTC 
This feature was reverted in sssd upstream.
And will be part of sssd-1.15.1
Comment 11 Lukas Slebodnik 2017-02-07 14:26:35 UTC 
Feel free to close it.