Bug 1416318
Summary: | Update SELinux policy for SSSD as the responders may be socket-activated (for Fedora 25+) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Fabiano FidĂȘncio <fidencio> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 25 | CC: | dominick.grift, dwalsh, jhrozek, lslebodn, lvrabec, mgrepl, plautrba, pmoore, ssekidde |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-225.12 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-07-04 08:02:59 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Fabiano FidĂȘncio
2017-01-25 09:37:07 UTC
A little bit more details for this BZ. Previous /usr/sbin/sssd fork+exec sssd responders (sssd_nss, sssd_pam ...) It was configured in sssd.conf which responders will be started. in sssd-1.15 we added possibility to start responders as socket activated services. There sore there are few AVCs Firstly after starting some socket by systemctl. Because previously sockets were created by sssd responders which were already in sssd_t domain. e.g. sh# systemctl start sssd-pam.socket sh# ausearch -m avc ---- time->Thu Mar 16 11:44:12 2017 type=AVC msg=audit(1489661052.387:10581): avc: denied { unlink } for pid=1 comm="systemd" name="pam" dev="dm-0" ino=270594 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 ---- time->Thu Mar 16 11:44:12 2017 type=AVC msg=audit(1489661052.387:10582): avc: denied { create } for pid=1 comm="systemd" name="pam" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 ---- time->Thu Mar 16 11:44:12 2017 type=AVC msg=audit(1489661052.388:10583): avc: denied { setattr } for pid=8128 comm="systemd" name="pam" dev="dm-0" ino=270594 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 Another issue is that socket activated responders are running with unconfined_service_t SELinux context sh# ps auxZ | grep sssd_pa[m] system_u:system_r:unconfined_service_t:s0 sssd 8244 0.0 0.2 138724 8420 ? Ss 11:52 0:00 /usr/libexec/sssd/sssd_pam --debug-to-files --socket-activated sh# ps auxZ | grep sss[d] system_u:system_r:sssd_t:s0 root 8209 0.0 0.2 161820 8632 ? Ss 11:50 0:00 /usr/sbin/sssd -i -f system_u:system_r:sssd_t:s0 sssd 8210 0.0 0.4 197152 12724 ? S 11:50 0:00 /usr/libexec/sssd/sssd_be --domain redhat.com --uid 995 --gid 993 --debug-to-files system_u:system_r:sssd_t:s0 sssd 8211 0.0 1.0 159000 32568 ? S 11:50 0:00 /usr/libexec/sssd/sssd_nss --uid 995 --gid 993 --debug-to-files system_u:system_r:unconfined_service_t:s0 sssd 8244 0.0 0.2 138724 8420 ? Ss 11:52 0:00 /usr/libexec/sssd/sssd_pam --debug-to-files --socket-activated Last but not least is that sssd still support both ways of starting responders. Both ways need to work with SELinux enforcing mode. |