Bug 2181010

Summary: SELinux is preventing sss_cache from 'read' accesses on the fifo_file fifo_file.
Product: [Fedora] Fedora Reporter: Matt Fagnani <matt.fagnani>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: high    
Version: 38CC: dwalsh, kparal, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:3e475a6e7bc9a55a9afe01adc0bb25a035c409fc098f651a31bd12254da5b5e0;VARIANT_ID=kde;
Fixed In Version: selinux-policy-38.10-1.fc38 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-04-15 02:06:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2179591    
Attachments:
Description Flags
File: os_info
none
File: description none

Description Matt Fagnani 2023-03-22 20:38:03 UTC 
Description of problem:
I booted the Fedora 38 live image Fedora-KDE-Live-x86_64-38-20230322.n.0.iso in a GNOME Boxes QEMU/KVM VM in a Fedora 38 installation. I opened System Settings in Plasma 5.27.3 on Wayland in the VM. I selected Users in the System Settings menu. I created two new users of the standard account type with passwords. The journal showed denials of sss_cache reading a pipe or fifo_file from the pipefs device. 

I reproduced this problem in the Fedora 38 KDE Plasma installation in the same way. The journal showed the following at the time of the denials.

Mar 22 16:23:53 audit[8610]: USER_AUTH pid=8610 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_usertype,pam_localuser,pam_unix acct="matt" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Mar 22 16:23:53 audit[8610]: USER_ACCT pid=8610 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="matt" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Mar 22 16:23:53 polkitd[932]: Operator of unix-session:2 successfully authenticated as unix-user:matt to gain TEMPORARY authorization for action org.freedesktop.accounts.user-administration for system-bus-name::1.264 [/usr/bin/systemsettings] (owned by unix-user:matt)
Mar 22 16:23:53 accounts-daemon[864]: request by system-bus-name::1.264 [/usr/bin/systemsettings pid:8570 uid:1000]: create user 'user3'
Mar 22 16:23:53 useradd[8615]: new group: name=user3, GID=1002
Mar 22 16:23:53 useradd[8615]: new user: name=user3, UID=1002, GID=1002, home=/home/user3, shell=/bin/bash, from=none
Mar 22 16:23:53 accounts-daemon[8638]: [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb]
Mar 22 16:23:53 accounts-daemon[8638]: Could not open available domains
Mar 22 16:23:53 useradd[8615]: useradd: sss_cache exited with status 5
Mar 22 16:23:53 useradd[8615]: useradd: Failed to flush the sssd cache.
Mar 22 16:23:53 accounts-daemon[8641]: [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb]
Mar 22 16:23:53 accounts-daemon[8641]: Could not open available domains
Mar 22 16:23:53 useradd[8615]: useradd: sss_cache exited with status 5
Mar 22 16:23:53 useradd[8615]: useradd: Failed to flush the sssd cache.
Mar 22 16:23:53 accounts-daemon[864]: request by system-bus-name::1.264 [/usr/bin/systemsettings pid:8570 uid:1000]: set password and hint of user 'user3' (1002)
Mar 22 16:23:53 audit[8649]: AVC avc:  denied  { read } for  pid=8649 comm="sss_cache" path="pipe:[291359]" dev="pipefs" ino=291359 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=fifo_file permissive=0
Mar 22 16:23:54 accounts-daemon[8649]: [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb]
Mar 22 16:23:54 accounts-daemon[8649]: Could not open available domains
Mar 22 16:23:54 chpasswd[8645]: chpasswd: sss_cache exited with status 5
Mar 22 16:23:54 chpasswd[8645]: chpasswd: Failed to flush the sssd cache.
Mar 22 16:23:54 audit[8651]: AVC avc:  denied  { read } for  pid=8651 comm="sss_cache" path="pipe:[291359]" dev="pipefs" ino=291359 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=fifo_file permissive=0
Mar 22 16:23:54 accounts-daemon[8651]: [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb]
Mar 22 16:23:54 accounts-daemon[8651]: Could not open available domains
Mar 22 16:23:54 chpasswd[8645]: chpasswd: sss_cache exited with status 5
Mar 22 16:23:54 chpasswd[8645]: chpasswd: Failed to flush the sssd cache.

I'm reporting this problem from in the F38 installation which has SELinux enabled with the targeted policy selinux-policy-38.8-2.fc38.noarch in enforcing mode.




 
SELinux is preventing sss_cache from 'read' accesses on the fifo_file fifo_file.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sss_cache should be allowed read access on the fifo_file fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sss_cache' --raw | audit2allow -M my-ssscache
# semodule -X 300 -i my-ssscache.pp

Additional Information:
Source Context                system_u:system_r:sssd_t:s0
Target Context                system_u:system_r:accountsd_t:s0
Target Objects                fifo_file [ fifo_file ]
Source                        sss_cache
Source Path                   sss_cache
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.8-2.fc38.noarch
Local Policy RPM              selinux-policy-targeted-38.8-2.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.2.7-300.fc38.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Fri Mar 17 16:02:49 UTC 2023
                              x86_64
Alert Count                   2
First Seen                    2023-03-22 16:23:53 EDT
Last Seen                     2023-03-22 16:23:54 EDT
Local ID                      2294d8b6-8f30-4721-88e3-53c6951ce268

Raw Audit Messages
type=AVC msg=audit(1679516634.18:292): avc:  denied  { read } for  pid=8651 comm="sss_cache" path="pipe:[291359]" dev="pipefs" ino=291359 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=fifo_file permissive=0


Hash: sss_cache,sssd_t,accountsd_t,fifo_file,read

Version-Release number of selected component:
selinux-policy-targeted-38.8-2.fc38.noarch

Additional info:
reporter:       libreport-2.17.8
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.2.7-300.fc38.x86_64
component:      selinux-policy
package:        selinux-policy-targeted-38.8-2.fc38.noarch
reason:         SELinux is preventing sss_cache from 'read' accesses on the fifo_file fifo_file.
component:      selinux-policy
Comment 1 Matt Fagnani 2023-03-22 20:38:05 UTC 
Created attachment 1952929 [details]
File: os_info
Comment 2 Matt Fagnani 2023-03-22 20:38:07 UTC 
Created attachment 1952930 [details]
File: description
Comment 3 Kamil Páral 2023-03-23 08:55:13 UTC 
Zdenek, this bug seems to block bug 2179591, which is currently proposed as a Fedora 38 Final blocker. If you can, please look at it soon, thanks.
Comment 4 Zdenek Pytela 2023-03-23 19:57:47 UTC 
Matt,

Can you insert this local module to check if this is the only denial?

  # cat local_sssd_acct.cil
(allow sssd_t accountsd_t (fifo_file (read)))
  # semodule -i local_sssd_acct.cil
<reproduce>

then
  # semodule -r local_sssd_acct
Comment 5 Matt Fagnani 2023-03-23 20:37:25 UTC 
I inserted the local module local_sssd_acct.cil and created another user. No SELinux denials were shown. The other errors were still there in the journal like I reported, so there might be some problem with sss_cache other than the denial. I ran sudo setenforce 0 and created the user again. There weren't any denials but the other errors were there in the journal as before. Thanks.
Comment 6 Zdenek Pytela 2023-03-23 20:59:23 UTC 
Thank you for checking.
Comment 7 Fedora Update System 2023-03-27 13:20:16 UTC 
FEDORA-2023-624eb88729 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-624eb88729
Comment 8 Kamil Páral 2023-03-27 15:21:53 UTC 
(In reply to Fedora Update System from comment #7)
> FEDORA-2023-624eb88729 has been submitted as an update to Fedora 38.
> https://bodhi.fedoraproject.org/updates/FEDORA-2023-624eb88729

I don't see AVCs when this update is installed and new users get created in KDE.
Comment 9 Fedora Update System 2023-03-28 03:42:53 UTC 
FEDORA-2023-624eb88729 has been pushed to the Fedora 38 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-624eb88729

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2023-04-06 01:48:00 UTC 
FEDORA-2023-9e48ecef73 has been pushed to the Fedora 38 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-9e48ecef73

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 11 Fedora Update System 2023-04-15 02:06:46 UTC 
FEDORA-2023-9e48ecef73 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.