Bug 1030273 - avc appears on setting "ldap_tls_cacertdir=/etc/openldap/certs" in sssd.conf
avc appears on setting "ldap_tls_cacertdir=/etc/openldap/certs" in sssd.conf
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
Unspecified Linux
high Severity high
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
: TestBlocker
Depends On:
  Show dependency treegraph
Reported: 2013-11-14 04:27 EST by Kaushik Banerjee
Modified: 2014-08-04 03:37 EDT (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-109.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-06-13 06:55:58 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Kaushik Banerjee 2013-11-14 04:27:26 EST
Description of problem:
SELinux is preventing /usr/libexec/sssd/sssd_be from read access on the directory /etc/openldap/certs

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Setup sssd.conf as follows:
config_file_version = 2
services = nss, pam
domains = LDAPTEST

debug_level = 9
id_provider = ldap
ldap_uri = ldaps://<ldapserver>
ldap_search_base = dc=example,dc=com
enumerate = true
ldap_tls_cacertdir = /etc/openldap/certs
ldap_tls_cacert = /etc/openldap/certs/cacert.asc

2. Start sssd

Actual results:
Lookup and auth works fine. However, the following avc is seen.

SELinux is preventing /usr/libexec/sssd/sssd_be from read access on the directory /etc/openldap/certs.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sssd_be should be allowed read access on the certs directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep sssd_be /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:sssd_t:s0
Target Context                system_u:object_r:slapd_cert_t:s0
Target Objects                /etc/openldap/certs [ dir ]
Source                        sssd_be
Source Path                   /usr/libexec/sssd/sssd_be
Port                          <Unknown>
Host                          dhcp207-191.lab.eng.pnq.redhat.com
Source RPM Packages           sssd-common-1.11.1-2.el7.x86_64
Target RPM Packages           openldap-2.4.35-7.el7.x86_64
Policy RPM                    selinux-policy-3.12.1-99.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dhcp207-191.lab.eng.pnq.redhat.com
Platform                      Linux dhcp207-191.lab.eng.pnq.redhat.com
                              3.10.0-15.el7.x86_64 #1 SMP Fri Aug 30 14:42:21
                              EDT 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-10-30 13:38:39 IST
Last Seen                     2013-11-14 14:48:45 IST
Local ID                      390eb88a-89e3-4f16-b8d0-5a46466cdb14

Raw Audit Messages
type=AVC msg=audit(1384420725.562:34932): avc:  denied  { read } for  pid=21263 comm="sssd_be" name="certs" dev="dm-1" ino=217 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir

type=SYSCALL msg=audit(1384420725.562:34932): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7f107173fc00 a2=90800 a3=0 items=0 ppid=21262 pid=21263 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sssd_be exe=/usr/libexec/sssd/sssd_be subj=system_u:system_r:sssd_t:s0 key=(null)

Hash: sssd_be,sssd_t,slapd_cert_t,dir,read

Expected results:

Additional info:
Comment 4 Miroslav Grepl 2013-11-25 05:14:25 EST
commit 75611932c49452a95879708bc27c25672ea2bc4f
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Nov 25 11:13:58 2013 +0100

    Fix ldap_read_certs() interface
Comment 7 Nirupama Karandikar 2013-12-09 06:53:09 EST

Able to reproduce same issue with sssd-1.11.2-10.el7.x86_64 and selinux-policy-3.12.1-108.el7.noarch, tried following steps.

# cacertdir_rehash /etc/openldap/certs/

# ll /etc/openldap/certs/
total 8
lrwxrwxrwx. 1 root root   10 Dec  9 17:17 111255b6.0 -> cacert.pem
-rw-r--r--. 1 root root 4710 Nov 12 12:26 cacert.pem

From sssd.conf :
ldap_tls_cacertdir = /etc/openldap/certs

From /var/log/audit/audit.log :

type=AVC msg=audit(1386589331.566:3530): avc:  denied  { read } for  pid=2244 comm="sssd_be" name="111255b6.0" dev="dm-1" ino=50605447 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:slapd_cert_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1386589331.566:3530): arch=c000003e syscall=4 success=no exit=-13 a0=7ff27a041710 a1=7fff6d8c5650 a2=7fff6d8c5650 a3=2e items=0 ppid=2243 pid=2244 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)

Issue do not occur if we use "ldap_tls_cacert = /etc/openldap/certs/cacert.pem" in sssd.conf

Comment 8 Milos Malik 2013-12-09 07:26:11 EST
The issue you described is slightly different. Comment#0 is related to /etc/openldap/certs directory, while comment#7 is related to a symbolic link inside the /etc/openldap/certs directory. But you are right that both issues should be fixed.
Comment 9 Miroslav Grepl 2013-12-09 15:59:16 EST
commit 42f3bf8833f5ac8080c1f010797bb142f99cfb73
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Dec 9 21:58:32 2013 +0100

    Fix ldap_read_certs() interface to allow acess also link files
Comment 11 Ludek Smid 2014-06-13 06:55:58 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.