Bug 2039757
| Summary: | denied setgid for sss_cache | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Jiri Jaburek <jjaburek> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.0 | CC: | lvrabec, mmalik, ssekidde |
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged |
| Target Release: | 9.0 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-34.1.23-1.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-17 15:50:10 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This bug is a RHEL-9 version of BZ#2030156. Commits to backport: 25bdcfdf5 Allow domtrans to sssd_t and role access to sssd d7ef9cf83 Creating interface sssd_run_sssd() d33ccb64d (tag: v35.12, patrik/rawhide) Fix badly indented used interfaces bcc321f17 Allow domain transition to sssd_t Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: selinux-policy), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:3918 |
Description of problem: I've noticed this on a bare metal x86_64 system, no clue how to reproduce it to re-try it in permissive, sorry. time->Tue Jan 11 16:22:21 2022 type=PROCTITLE msg=audit(1641914541.390:120): proctitle=7373735F6361636865002D47 type=SYSCALL msg=audit(1641914541.390:120): arch=c000003e syscall=119 success=yes exit=0 a0=ffffffff a1=0 a2=ffffffff a3=0 items=0 ppid=4915 pid=4920 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sss_cache" exe="/usr/sbin/sss_cache" subj=system_u:system_r:groupadd_t:s0 key=(null) type=AVC msg=audit(1641914541.390:120): avc: denied { setgid } for pid=4920 comm="sss_cache" capability=6 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=capability permissive=0 ---- time->Tue Jan 11 16:22:22 2022 type=PROCTITLE msg=audit(1641914542.623:125): proctitle=7373735F6361636865002D5547 type=SYSCALL msg=audit(1641914542.623:125): arch=c000003e syscall=119 success=yes exit=0 a0=ffffffff a1=0 a2=ffffffff a3=0 items=0 ppid=4922 pid=4925 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sss_cache" exe="/usr/sbin/sss_cache" subj=system_u:system_r:useradd_t:s0 key=(null) type=AVC msg=audit(1641914542.623:125): avc: denied { setgid } for pid=4925 comm="sss_cache" capability=6 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=capability permissive=0 # ausearch -ts boot -m avc | audit2allow -r require { type groupadd_t; type useradd_t; class capability setgid; } #============= groupadd_t ============== allow groupadd_t self:capability setgid; #============= useradd_t ============== allow useradd_t self:capability setgid; Version-Release number of selected component (if applicable): RHEL-9.0.0-20220108.3 selinux-policy-34.1.20-1.el9.noarch sssd-common-2.6.1-1.el9.x86_64