| Summary: | SELinux is preventing /usr/sbin/sssd from using the sys_admin capability. | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Gowrishankar Rajaiyan <grajaiya> | |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | rawhide | CC: | dominick.grift, dwalsh, jhrozek, mgrepl, sbose, sgallagh, spoore, ssorce | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 769301 (view as bug list) | Environment: | ||
| Last Closed: | 2012-02-10 08:56:22 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 769301 | |||
|
Description
Gowrishankar Rajaiyan
2011-12-20 07:22:59 UTC
SSSD grew a dependency on the sys_admin capability because it is now using keyctl_join_session_keyring() and keyctl_setperm() to connect to the kernel keyring and store passwords securely while the SSSD is running (such as for deferred kinit operation). We need this new requirement added to SSSD in the selinux policy. So this is valid for F15+. (In reply to comment #2) > So this is valid for F15+. Yes, please. Is this the same error? Reads like it but I didn't get an setroubleshoot entry in /var/log/messages.
# /usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 12/22/2011 19:00
...snip....
type=AVC msg=audit(1324604821.705:299): avc: denied { sys_admin } for pid=11976 comm="sssd" capability=21 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=capability
...snip...
versions in question on my test system were:
sssd-1.8.0-0.20111222T1839Zgitb355dcb.fc16.x86_64
selinux-policy-3.10.0-67.fc16.noarch
And, sssd does appear to be running:
systemctl status sssd.service
sssd.service - LSB: System Security Services Daemon
Loaded: loaded (/etc/rc.d/init.d/sssd)
Active: active (running) since Thu, 22 Dec 2011 20:47:02 -0500; 27min ago
CGroup: name=systemd:/system/sssd.service
├ 11977 /usr/sbin/sssd -f -D
├ 11989 /usr/libexec/sssd/sssd_be --domain testrelm --debu...
├ 11990 /usr/libexec/sssd/sssd_nss --debug-to-files
└ 11991 /usr/libexec/sssd/sssd_pam --debug-to-files
Just checking that I am actually seeing the same issue before opening another BZ.
Thanks,
Scott
Pleas, try it with the latest policy from koji http://koji.fedoraproject.org/koji/buildinfo?buildID=279701 I do believe that fixed what I was seeing at least: # /usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 01/03/2012 15:00:00|grep sss ...no output... However, I should note (just in case) that I had to set NSS_SSL_CBC_RANDOM_IV=0 in /etc/profile first to work this issue: https://bugzilla.redhat.com/show_bug.cgi?id=771357 Thanks, Scott # sesearch -A -s sssd_t -t sssd_t -c capability -p sys_admin
Found 1 semantic av rules:
allow sssd_t sssd_t : capability { chown dac_override dac_read_search kill setgid setuid net_admin sys_admin sys_nice audit_write } ;
which tells us that the capability has been added.
|