Bug 867767
I'll be adding more realmd AVC's to this bug. It's probably easier for the selinux guys to get them all in one shot. Created attachment 629361 [details]
SELinux is preventing /usr/lib64/realmd/realmd from remove_name access on the directory sssd.conf.VQJYLW.
Created attachment 629362 [details]
SELinux is preventing /usr/lib64/realmd/realmd from getattr access on the filesystem /.
Most of these are fixed in the latest build. Created attachment 629545 [details]
My complete realmd avc log
Miroslav I hope these are useful. A complete AVC log of realmd operations.
This is using a new livecd built from fedora-updates-testing today.
*** Bug 867765 has been marked as a duplicate of this bug. *** I added a lot of fixes but some issues related to authconfig remain
1. /var/lib/authconfig/last
allow realmd_t var_lib_t:dir { write remove_name add_name };
allow realmd_t var_lib_t:file { rename setattr read create write getattr unlink open };
2. /etc/krb5.confd_*
allow realmd_t etc_t:dir { write remove_name add_name };
allow realmd_t etc_t:file { write rename create unlink };
ad 1)
We could label /var/lib/authconfig as var_auth_t
ad 2)
There is a problem we are not able to add file name transitions.
Dan,
what do you think?
Created attachment 629997 [details]
SELinux is preventing /usr/bin/python2.7 from getattr access on the file /usr/sbin/sssd.
I've got two more denials, didn't check if it's been already reported.
Created attachment 629998 [details]
SELinux is preventing /usr/bin/systemctl from read access on the lnk_file root.
Both denials are with todays updates.
Created attachment 630000 [details]
SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/bash.
Related to realmd, though no idea how this happened. Getting a pwent from remote server?
(In reply to comment #10) > Created attachment 630000 [details] > SELinux is preventing /usr/bin/bash from execute access on the file > /usr/bin/bash. > > Related to realmd, though no idea how this happened. Getting a pwent from > remote server? realmd calls authconfig (to manage the PAM stack). authconfig runs many commands using system(), which uses the shell. Created attachment 630001 [details]
SELinux is preventing /usr/sbin/sss_cache from getattr access on the file /run/sssd.pid.
Found when leaving domain (Enforcing mode)
Created attachment 630002 [details]
SELinux is preventing /usr/sbin/sss_cache from using the signal access on a process.
Found when leaving domain (Enforcing mode)
Created attachment 630003 [details]
SELinux is preventing /usr/lib64/realmd/realmd from using the signal access on a process.
Found when leaving domain (Enforcing mode)
Stef,
related to
2. /etc/krb5.confd_*
allow realmd_t etc_t:dir { write remove_name add_name };
allow realmd_t etc_t:file { write rename create unlink };
is this created by authconfig by default?
(In reply to comment #15) > Stef, > related to > > 2. /etc/krb5.confd_* > > > allow realmd_t etc_t:dir { write remove_name add_name }; > allow realmd_t etc_t:file { write rename create unlink }; > > is this created by authconfig by default? Yes. realmd does not write to /etc/krb5.conf directly. Yes, I was just curious about the path. Hmmm, maybe /etc/krb5.confd_xxx is a backup dir that authconfig is making? Tomasz, do you know more details? Stef, realmd executing autoconf is going to be difficult to write up in policy, and of course it is very privileged. Why is it doing this. And maybe we could write a transition policy from realmd to autoconf, so that realmd only gets the privs when it executes autoconf. (In reply to comment #19) > Stef, realmd executing autoconf is going to be difficult to write up in > policy, and of course it is very privileged. > > Why is it doing this. authconfig 'owns' the PAM stack and nsswitch configuration file on Fedora and RHEL. In order to configure logins and usage of domain accounts on Fedora and RHEL we need to run authconfig. You can see the various authconfig commands we run here: http://cgit.freedesktop.org/realmd/realmd/tree/service/realmd-redhat.conf#n20 /etc/krb5.confd_xxx is not directly created by authconfig. I do not know if it is created by f.e. sssd due to being restarted by authconfig though. Jakub, does sssd create files like /etc/krb5.confd_*? The SSSD doesn't create any files outside /var/lib/sss. The only Kerberos-related files that the SSSD creates are locate in /var/lib/sss/pubconf/. I'm sorry, I don't know what the /etc/krb5.confd_xxx files are, what is their content? (In reply to comment #19) > Stef, realmd executing autoconf is going to be difficult to write up in > policy, and of course it is very privileged. > > Why is it doing this. And maybe we could write a transition policy from > realmd to autoconf, so that realmd only gets the privs when it executes > autoconf. Yes, I was thinking about a policy for autoconf. Please don't mix autoconf and authconfig. :) The policy for authconfig should be mostly unconfined as it writes to a crucial system configuration files and eventually restarts the daemons such as sssd, ypbind,.... (In reply to comment #18) > Hmmm, maybe /etc/krb5.confd_xxx is a backup dir that authconfig is making? > Tomasz, do you know more details? There's no xxx file in /etc, only my rpm-saved default configuration in krb5.conf.bak: # ls -al /etc/krb5.* -rw-r--r--. 1 root root 433 Oct 16 09:30 /etc/krb5.conf -rw-r--r--. 1 root root 432 Sep 10 19:23 /etc/krb5.conf.bak -rw-------. 1 root root 972 Oct 25 09:58 /etc/krb5.keytab I am sure Miroslav mean authconfig. Added authconfig policy in F18, and allow realmd to transition to it. Fixed in selinux-policy-3.11.1-47.fc18.noarch Stef, could you test it with this build which is available from koji. This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19 selinux-policy-3.12.1-28.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/FEDORA-2013-5045/selinux-policy-3.12.1-28.fc19 Package selinux-policy-3.12.1-28.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-28.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-5045/selinux-policy-3.12.1-28.fc19 then log in and leave karma (feedback). selinux-policy-3.12.1-28.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: # service rpcbind restart in AVC this denial pops up: time->Thu Oct 18 05:14:09 2012 type=SYSCALL msg=audit(1350551649.593:713): arch=c000003e syscall=2 success=no exit=-13 a0=7f63a11af6ea a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=12955 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpcbind" exe="/usr/sbin/rpcbind" subj=system_u:system_r:rpcbind_t:s0 key=(null) type=AVC msg=audit(1350551649.593:713): avc: denied { read } for pid=12955 comm="rpcbind" name="passwd" dev="vda3" ino=17886 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file Version-Release number of selected component (if applicable): rpcbind-0.2.0-18.fc18.x86_64 selinux-policy-3.11.1-36.fc18.noarch How reproducible: 100% Steps to Reproduce: 1. restart rpcbind Actual results: Denial Expected results: No Denial Additional info: Found during Active Directory test day