| Summary: | SELinux is preventing /usr/libexec/sssd/sssd_be from 'search' accesses on the directory 3718. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Stephen Gallagher <sgallagh> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 25 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, plautrba, sgallagh |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:c9212d451c1f378d064f0b45656c4f8120ef4cbc40405c62553300c1ed607594;VARIANT_ID=workstation; | ||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-10-17 12:05:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
If you run restorecon, are you able to reproduce it? I haven't seen this reappear since then. For the moment, I'm just going to close this bug and I'll reopen it if I can reproduce it. |
Description of problem: SELinux is preventing /usr/libexec/sssd/sssd_be from 'search' accesses on the directory 3718. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow sssd_be to have search access on the 3718 directory Then you need to change the label on 3718 Do # semanage fcontext -a -t FILE_TYPE '3718' where FILE_TYPE is one of the following: NetworkManager_var_run_t, abrt_var_cache_t, abrt_var_run_t, admin_home_t, aiccu_var_run_t, ajaxterm_var_run_t, alsa_var_run_t, anon_inodefs_t, antivirus_var_run_t, apcupsd_var_run_t, apmd_var_run_t, arpwatch_var_run_t, asterisk_var_run_t, audisp_var_run_t, auditd_var_run_t, auth_cache_t, automount_var_run_t, avahi_var_run_t, bacula_var_run_t, bcfg2_var_run_t, bin_t, bitlbee_var_run_t, blkmapd_var_run_t, blktap_var_run_t, blueman_var_run_t, bluetooth_var_run_t, boot_t, bootloader_var_run_t, brltty_var_run_t, bumblebee_var_run_t, cachefilesd_var_run_t, callweaver_var_run_t, canna_var_run_t, cardmgr_var_run_t, ccs_var_run_t, cert_t, certmaster_var_run_t, certmonger_var_run_t, cgred_var_run_t, chronyd_var_run_t, cinder_var_run_t, clogd_var_run_t, cluster_conf_t, cluster_var_lib_t, cluster_var_run_t, clvmd_var_run_t, cmirrord_var_run_t, cockpit_var_run_t, collectd_var_run_t, comsat_var_run_t, condor_var_run_t, conman_var_run_t, consolekit_var_run_t, couchdb_var_run_t, courier_var_run_t, cpu_online_t, cpuplug_var_run_t, cpuspeed_var_run_t, cron_var_run_t, crond_var_run_t, ctdbd_var_run_t, cupsd_config_var_run_t, cupsd_lpd_var_run_t, cupsd_var_run_t, cvs_var_run_t, cyphesis_var_run_t, cyrus_var_run_t, dbskkd_var_run_t, dbusd_etc_t, dcc_var_run_t, dccd_var_run_t, dccifd_var_run_t, dccm_var_run_t, dcerpcd_var_run_t, ddclient_var_run_t, default_context_t, default_t, deltacloudd_var_run_t, device_t, devicekit_var_run_t, devpts_t, dhcpc_var_run_t, dhcpd_var_run_t, dictd_var_run_t, dirsrv_snmp_var_run_t, dirsrv_var_run_t, dkim_milter_data_t, dlm_controld_var_run_t, dnsmasq_var_run_t, dnssec_trigger_var_run_t, dovecot_var_run_t, drbd_var_run_t, dspam_var_run_t, entropyd_var_run_t, etc_runtime_t, etc_t, eventlogd_var_run_t, evtchnd_var_run_t, exim_var_run_t, fail2ban_var_lib_t, fail2ban_var_run_t, faillog_t, fcoemon_var_run_t, fenced_var_run_t, fetchmail_var_run_t, file_context_t, fingerd_var_run_t, firewalld_var_run_t, foghorn_var_run_t, fonts_cache_t, fonts_t, freeipmi_bmc_watchdog_var_run_t, freeipmi_ipmidetectd_var_run_t, freeipmi_ipmiseld_var_run_t, fsadm_var_run_t, fsdaemon_var_run_t, ftpd_var_run_t, games_srv_var_run_t, gdomap_var_run_t, gear_var_run_t, getty_var_run_t, gfs_controld_var_run_t, gkeyringd_tmp_t, glance_var_run_t, glusterd_var_run_t, gpm_var_run_t, gpsd_var_run_t, greylist_milter_data_t, groupd_var_run_t, gssproxy_var_run_t, haproxy_var_run_t, home_root_t, hostapd_var_run_t, httpd_sys_content_t, httpd_var_run_t, hwloc_var_run_t, icecast_var_run_t, ifconfig_var_run_t, inetd_child_var_run_t, inetd_var_run_t, init_var_run_t, initrc_var_run_t, innd_var_run_t, insmod_var_run_t, ipa_var_run_t, ipmievd_var_run_t, ipsec_mgmt_var_run_t, ipsec_var_run_t, iptables_var_lib_t, iptables_var_run_t, irqbalance_var_run_t, iscsi_var_run_t, isnsd_var_run_t, iwhd_var_run_t, jetty_var_run_t, kadmind_var_run_t, keepalived_var_run_t, keystone_var_run_t, kismet_var_run_t, klogd_var_run_t, krb5_conf_t, krb5_home_t, krb5_host_rcache_t, krb5kdc_var_run_t, ksmtuned_var_run_t, l2tpd_var_run_t, lib_t, likewise_var_lib_t, lircd_var_run_t, lldpad_var_run_t, locale_t, locate_var_run_t, logwatch_var_run_t, lost_found_t, lpd_var_run_t, lsassd_var_run_t, lsmd_var_run_t, lttng_sessiond_var_run_t, lvm_var_run_t, lwiod_var_run_t, lwregd_var_run_t, lwsmd_var_run_t, mailman_var_run_t, man_cache_t, man_t, mandb_cache_t, mcelog_var_run_t, mdadm_var_run_t, memcached_var_run_t, minidlna_var_run_t, minissdpd_var_run_t, mirrormanager_var_run_t, mnt_t, mock_var_run_t, mon_statd_var_run_t, mongod_var_run_t, motion_var_run_t, mount_var_run_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mpd_var_run_t, mrtg_var_run_t, mscan_var_run_t, munin_var_run_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, naemon_var_run_t, nagios_var_run_t, named_var_run_t, net_conf_t, netlogond_var_run_t, neutron_var_run_t, ninfod_run_t, nmbd_var_run_t, nova_var_run_t, nrpe_var_run_t, nscd_var_run_t, nsd_var_run_t, nslcd_var_run_t, ntop_var_run_t, ntpd_var_run_t, numad_var_run_t, nut_var_run_t, nx_server_var_run_t, oddjob_var_run_t, openct_var_run_t, opendnssec_var_run_t, openhpid_var_run_t, openshift_var_run_t, openvpn_var_run_t, openvswitch_var_run_t, openwsman_run_t, osad_var_run_t, pads_var_run_t, pam_var_console_t, pam_var_run_t, passenger_var_run_t, pcp_var_run_t, pcscd_var_run_t, pdns_var_run_t, pegasus_openlmi_storage_var_run_t, pegasus_var_run_t, pesign_var_run_t, piranha_fos_var_run_t, piranha_lvs_var_run_t, piranha_pulse_var_run_t, piranha_web_var_run_t, pkcs11proxyd_var_run_t, pkcs_slotd_var_run_t, pki_ra_var_run_t, pki_tomcat_var_run_t, pki_tps_var_run_t, plymouthd_var_run_t, policykit_var_run_t, polipo_pid_t, portmap_var_run_t, portreserve_var_run_t, postfix_postdrop_t, postfix_var_run_t, postgresql_var_run_t, postgrey_var_run_t, pppd_var_run_t, pptp_var_run_t, prelude_audisp_var_run_t, prelude_lml_var_run_t, prelude_var_run_t, privoxy_var_run_t, proc_t, prosody_var_run_t, psad_var_run_t, ptal_var_run_t, pulseaudio_var_run_t, puppet_var_run_t, pwauth_var_run_t, pyicqt_var_run_t, qdiskd_var_run_t, qemu_var_run_t, qpidd_var_run_t, quota_nld_var_run_t, rabbitmq_var_run_t, radiusd_var_run_t, radvd_var_run_t, readahead_var_run_t, redis_var_run_t, regex_milter_data_t, restorecond_var_run_t, rhev_agentd_var_run_t, rhnsd_var_run_t, rhsmcertd_var_run_t, ricci_modcluster_var_run_t, ricci_var_run_t, rkhunter_var_lib_t, rlogind_var_run_t, rngd_var_run_t, root_t, roundup_var_run_t, rpcbind_var_run_t, rpcd_var_run_t, rpm_log_t, rpm_script_tmp_t, rpm_var_run_t, rsync_var_run_t, rtas_errd_var_run_t, samba_etc_t, samba_var_t, sanlock_var_run_t, saslauthd_var_run_t, sbd_var_run_t, sblim_var_run_t, screen_var_run_t, security_t, selinux_config_t, selinux_login_config_t, sendmail_var_run_t, sensord_var_run_t, setrans_var_run_t, setroubleshoot_var_run_t, shell_exec_t, slapd_cert_t, slapd_var_run_t, slpd_var_run_t, smbd_var_run_t, smokeping_var_run_t, smsd_var_run_t, snmpd_var_run_t, snort_var_run_t, sosreport_tmp_t, sosreport_var_run_t, soundd_var_run_t, spamass_milter_data_t, spamd_var_run_t, squid_var_run_t, src_t, srvsvcd_var_run_t, sshd_var_run_t, sslh_var_run_t, sssd_conf_t, sssd_public_t, sssd_var_lib_t, sssd_var_log_t, sssd_var_run_t, stapserver_var_run_t, stunnel_var_run_t, svnserve_var_run_t, swat_var_run_t, swift_var_run_t, sysctl_t, sysfs_t, syslogd_var_run_t, system_conf_t, system_cronjob_var_run_t, system_db_t, system_dbusd_var_lib_t, system_dbusd_var_run_t, systemd_logind_inhibit_var_run_t, systemd_logind_sessions_t, systemd_logind_var_run_t, systemd_machined_var_run_t, systemd_networkd_var_run_t, systemd_passwd_var_run_t, systemd_resolved_var_run_t, telnetd_var_run_t, textrel_shlib_t, tftpd_var_run_t, tgtd_var_run_t, thin_aeolus_configserver_var_run_t, thin_var_run_t, timemaster_var_run_t, tmp_t, tmpfs_t, tomcat_var_run_t, tor_var_run_t, tuned_var_run_t, udev_var_run_t, uml_switch_var_run_t, usbmuxd_var_run_t, user_home_dir_t, user_tmp_t, useradd_var_run_t, usr_t, uucpd_var_run_t, uuidd_var_run_t, var_lib_t, var_lock_t, var_log_t, var_run_t, var_spool_t, var_t, varnishd_var_run_t, varnishlog_var_run_t, vdagent_var_run_t, vhostmd_var_run_t, virt_lxc_var_run_t, virt_qemu_ga_var_run_t, virt_var_run_t, virtlogd_var_run_t, vmware_host_pid_t, vmware_pid_t, vnstatd_var_run_t, vpnc_var_run_t, watchdog_var_run_t, wdmd_var_run_t, winbind_var_run_t, xdm_var_run_t, xenconsoled_var_run_t, xend_var_run_t, xenstored_var_run_t, xserver_var_run_t, ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t, ypxfr_var_run_t, zabbix_var_run_t, zarafa_deliver_var_run_t, zarafa_gateway_var_run_t, zarafa_ical_var_run_t, zarafa_indexer_var_run_t, zarafa_monitor_var_run_t, zarafa_server_var_run_t, zarafa_spooler_var_run_t, zebra_var_run_t, zoneminder_var_run_t. Then execute: restorecon -v '3718' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that sssd_be should be allowed search access on the 3718 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sssd_be' --raw | audit2allow -M my-sssdbe # semodule -X 300 -i my-sssdbe.pp Additional Information: Source Context system_u:system_r:sssd_t:s0 Target Context system_u:object_r:unlabeled_t:s0 Target Objects 3718 [ dir ] Source sssd_be Source Path /usr/libexec/sssd/sssd_be Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.8.0-0.rc6.git0.1.fc25.x86_64 #1 SMP Mon Sep 12 19:16:54 UTC 2016 x86_64 x86_64 Alert Count 35 First Seen 2016-09-23 11:17:07 EDT Last Seen 2016-09-23 11:46:50 EDT Local ID a9a9aa07-c5e4-4a0e-9f4d-c131f689e3c6 Raw Audit Messages type=AVC msg=audit(1474645610.612:6483): avc: denied { search } for pid=3566 comm="sssd_be" name="3718" dev="proc" ino=18235 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1474645610.612:6483): arch=x86_64 syscall=open success=no exit=EACCES a0=7ffc39de9600 a1=0 a2=7ffc39de9611 a3=64 items=0 ppid=3564 pid=3566 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sssd_be exe=/usr/libexec/sssd/sssd_be subj=system_u:system_r:sssd_t:s0 key=(null) Hash: sssd_be,sssd_t,unlabeled_t,dir,search Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc7.git0.1.fc25.x86_64 type: libreport