Bug 1589395
| Summary: | cjdroute denied access to /var/lib/sss by selinux | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Stuart D Gathman <stuart> |
| Component: | cjdns | Assignee: | Stuart D Gathman <stuart> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 30 | CC: | bernard827, foxcool333, stuart |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | cjdns-20.3-7.fc30 cjdns-20.3-7.fc29 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-25 00:57:11 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Still present in f29 *** Bug 1708081 has been marked as a duplicate of this bug. *** Ok, the culprit is getpwnam(). Around Fedora 28, this changed to dynamically load nss libraries, and do lots of extraneous stuff. There are two ways that we could go, yea three that stop this annoying alert: 1) Ok, fine: let cjdroute have read access to all that critical security stuff ... just to lookup uid for cjdns. 2) Tell users to turn off sss for passwd in /etc/nsswitch.conf 3) Implement a plain vanilla getpwnam() that just look in /etc/passwd Workaround for present: remove sss from passwd in /etc/nsswitch.con Another idea, register cjdns uid with Fedora Project, and hardwire uid. But that could be a Bad Idea, because customized systems might not use the official uid. Yet another idea, support numerid user in /etc/cjdroute.conf *** Bug 1711506 has been marked as a duplicate of this bug. *** *** Bug 1713855 has been marked as a duplicate of this bug. *** After a lot of thinking, I've decided the best approach is to suppress logging of the sss denials. I need to research how to do that. FEDORA-2019-93a6eb4dbc has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-93a6eb4dbc FEDORA-2019-1fa7b2f8bc has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-1fa7b2f8bc I don't think this is the end of this issue. There are a lot of problems associated with dontaudit - some new functionality that actually depends on sssd doesn't work, and it's hard to figure out why. cjdns-20.3-7.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-93a6eb4dbc cjdns-20.3-7.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-1fa7b2f8bc cjdns-20.3-7.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. cjdns-20.3-7.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Selinux reports access denied to /var/lib/sss for cjdroute Version-Release number of selected component (if applicable): cjdns-20.2-2 How reproducible: At cjdns startup Steps to Reproduce: 1. install cjdns cjdns-selinux 2. systemctl start cjdns 3. Actual results: type=AVC msg=audit(1528496988.246:146): avc: denied { search } for pid=1035 comm="cjdroute" name="sss" dev="dm-0" ino=795620 scontext=system_u:system_r:cjdns_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 Expected results: No selinux logs Additional info: There is no need for cjdroute to access /var/lib/sss, and indeed cjdroute runs normally despite the denial. If I could find where this access is occurring, I could patch it out of the upstream code.