Bug 1534624

Summary: SELinux prevents sslh from searching in /var/lib/sss directory
Product: [Fedora] Fedora Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: dwalsh, lvrabec, mgrepl, mmalik, plautrba, pmoore
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-283.24.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-06 15:31:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2018-01-15 15:38:53 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-283.16.fc27.noarch
selinux-policy-targeted-3.13.1-283.16.fc27.noarch
sslh-1.18-4.fc27.x86_64

How reproducible:
* always

Steps to Reproduce:
1. get a Fedora27 machine (targeted policy is active)
2. start the sslh service
3. search for SELinux denials

Actual results (enforcing mode):
----
type=AVC msg=audit(01/15/2018 10:32:04.564:400) : avc:  denied  { search } for  pid=18259 comm=sslh name=sss dev="vda1" ino=5199 scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 
----

Expected results:
* no SELinux denials

Additional info:
The sssd service was running and nsswitch was configured in following way:
# grep sss /etc/nsswitch.conf
passwd:      sss files systemd
shadow:     files sss
group:       sss files systemd
services:   files sss
netgroup:   nisplus sss
#
Comment 1 Lukas Vrabec 2018-01-15 16:19:53 UTC 
Could you test it in permissive mode?
Comment 2 Milos Malik 2018-01-15 16:35:51 UTC 
Caught in permissive mode:
----
type=AVC msg=audit(01/15/2018 11:34:36.690:451) : avc:  denied  { read } for  pid=21970 comm=sslh name=passwd dev="vda1" ino=11779 scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(01/15/2018 11:34:36.691:452) : avc:  denied  { open } for  pid=21970 comm=sslh path=/var/lib/sss/mc/passwd dev="vda1" ino=11779 scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(01/15/2018 11:34:36.691:453) : avc:  denied  { getattr } for  pid=21970 comm=sslh path=/var/lib/sss/mc/passwd dev="vda1" ino=11779 scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(01/15/2018 11:34:36.691:454) : avc:  denied  { map } for  pid=21970 comm=sslh path=/var/lib/sss/mc/passwd dev="vda1" ino=11779 scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(01/15/2018 11:34:36.691:455) : avc:  denied  { write } for  pid=21970 comm=sslh name=nss dev="vda1" ino=845 scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 
----
type=AVC msg=audit(01/15/2018 11:34:36.691:456) : avc:  denied  { connectto } for  pid=21970 comm=sslh path=/var/lib/sss/pipes/nss scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
----
Comment 3 Fedora Update System 2018-01-30 16:41:06 UTC 
selinux-policy-3.13.1-283.24.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8
Comment 4 Fedora Update System 2018-01-31 22:44:52 UTC 
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8
Comment 5 Fedora Update System 2018-02-06 15:31:25 UTC 
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.