RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1030273 - avc appears on setting "ldap_tls_cacertdir=/etc/openldap/certs" in sssd.conf
Summary: avc appears on setting "ldap_tls_cacertdir=/etc/openldap/certs" in sssd.conf
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.0
Hardware: Unspecified
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-14 09:27 UTC by Kaushik Banerjee
Modified: 2014-08-04 07:37 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.12.1-109.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 10:55:58 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Kaushik Banerjee 2013-11-14 09:27:26 UTC 
Description of problem:
SELinux is preventing /usr/libexec/sssd/sssd_be from read access on the directory /etc/openldap/certs

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-99.el7
sssd-1.11.1-2.el7

How reproducible:
Always

Steps to Reproduce:
1. Setup sssd.conf as follows:
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAPTEST

[domain/LDAPTEST]
debug_level = 9
id_provider = ldap
ldap_uri = ldaps://<ldapserver>
ldap_search_base = dc=example,dc=com
enumerate = true
ldap_tls_cacertdir = /etc/openldap/certs
ldap_tls_cacert = /etc/openldap/certs/cacert.asc


2. Start sssd

Actual results:
Lookup and auth works fine. However, the following avc is seen.

SELinux is preventing /usr/libexec/sssd/sssd_be from read access on the directory /etc/openldap/certs.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sssd_be should be allowed read access on the certs directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sssd_be /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:sssd_t:s0
Target Context                system_u:object_r:slapd_cert_t:s0
Target Objects                /etc/openldap/certs [ dir ]
Source                        sssd_be
Source Path                   /usr/libexec/sssd/sssd_be
Port                          <Unknown>
Host                          dhcp207-191.lab.eng.pnq.redhat.com
Source RPM Packages           sssd-common-1.11.1-2.el7.x86_64
Target RPM Packages           openldap-2.4.35-7.el7.x86_64
Policy RPM                    selinux-policy-3.12.1-99.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dhcp207-191.lab.eng.pnq.redhat.com
Platform                      Linux dhcp207-191.lab.eng.pnq.redhat.com
                              3.10.0-15.el7.x86_64 #1 SMP Fri Aug 30 14:42:21
                              EDT 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-10-30 13:38:39 IST
Last Seen                     2013-11-14 14:48:45 IST
Local ID                      390eb88a-89e3-4f16-b8d0-5a46466cdb14

Raw Audit Messages
type=AVC msg=audit(1384420725.562:34932): avc:  denied  { read } for  pid=21263 comm="sssd_be" name="certs" dev="dm-1" ino=217 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir


type=SYSCALL msg=audit(1384420725.562:34932): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7f107173fc00 a2=90800 a3=0 items=0 ppid=21262 pid=21263 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sssd_be exe=/usr/libexec/sssd/sssd_be subj=system_u:system_r:sssd_t:s0 key=(null)

Hash: sssd_be,sssd_t,slapd_cert_t,dir,read


Expected results:


Additional info:
Comment 4 Miroslav Grepl 2013-11-25 10:14:25 UTC 
commit 75611932c49452a95879708bc27c25672ea2bc4f
Author: Miroslav Grepl <mgrepl>
Date:   Mon Nov 25 11:13:58 2013 +0100

    Fix ldap_read_certs() interface
Comment 7 Nirupama Karandikar 2013-12-09 11:53:09 UTC 
Hello,

Able to reproduce same issue with sssd-1.11.2-10.el7.x86_64 and selinux-policy-3.12.1-108.el7.noarch, tried following steps.

# cacertdir_rehash /etc/openldap/certs/

# ll /etc/openldap/certs/
total 8
lrwxrwxrwx. 1 root root   10 Dec  9 17:17 111255b6.0 -> cacert.pem
-rw-r--r--. 1 root root 4710 Nov 12 12:26 cacert.pem

From sssd.conf :
[domain/LDAP]
..
..
.
ldap_tls_cacertdir = /etc/openldap/certs
..
.

From /var/log/audit/audit.log :

-----------------------
type=AVC msg=audit(1386589331.566:3530): avc:  denied  { read } for  pid=2244 comm="sssd_be" name="111255b6.0" dev="dm-1" ino=50605447 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:slapd_cert_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1386589331.566:3530): arch=c000003e syscall=4 success=no exit=-13 a0=7ff27a041710 a1=7fff6d8c5650 a2=7fff6d8c5650 a3=2e items=0 ppid=2243 pid=2244 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
------------------------

Issue do not occur if we use "ldap_tls_cacert = /etc/openldap/certs/cacert.pem" in sssd.conf

Niru
Comment 8 Milos Malik 2013-12-09 12:26:11 UTC 
The issue you described is slightly different. Comment#0 is related to /etc/openldap/certs directory, while comment#7 is related to a symbolic link inside the /etc/openldap/certs directory. But you are right that both issues should be fixed.
Comment 9 Miroslav Grepl 2013-12-09 20:59:16 UTC 
commit 42f3bf8833f5ac8080c1f010797bb142f99cfb73
Author: Miroslav Grepl <mgrepl>
Date:   Mon Dec 9 21:58:32 2013 +0100

    Fix ldap_read_certs() interface to allow acess also link files
Comment 11 Ludek Smid 2014-06-13 10:55:58 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.