Bug 1256636 - SELinux policy prevents nsupdate from reading nsswitch.conf during domain join
SELinux policy prevents nsupdate from reading nsswitch.conf during domain join
Status: CLOSED INSUFFICIENT_DATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.1
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Lukas Vrabec
Patrik Kis
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-25 03:20 EDT by Stef Walter
Modified: 2016-05-03 07:40 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-03 07:40:20 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stef Walter 2015-08-25 03:20:00 EDT
Description of problem:

The RHEL SELinux policy prevents reading the nsswitch.conf file by nsupdate during a realmd join. 

Unexpected journal message 'type=1400 audit(1439814384.481:4): avc:  denied  { read } for  pid=3008 comm="nsupdate" name="nsswitch.conf" dev="vda1" ino=33672835 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:realmd_var_lib_t:s0 tclass=file'
Unexpected journal message 'type=1400 audit(1439814384.483:5): avc:  denied  { read } for  pid=3008 comm="nsupdate" name="nsswitch.conf" dev="vda1" ino=33672835 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:realmd_var_lib_t:s0 tclass=file'
Unexpected journal message 'type=1400 audit(1439814384.497:6): avc:  denied  { read } for  pid=3008 comm="nsupdate" name="nsswitch.conf" dev="vda1" ino=33672835 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:realmd_var_lib_t:s0 tclass=file'
Unexpected journal message 'type=1400 audit(1439814384.511:7): avc:  denied  { read } for  pid=3008 comm="nsupdate" name="nsswitch.conf" dev="vda1" ino=33672835 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:realmd_var_lib_t:s0 tclass=file'

Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-23.el7_1.13.noarch

How reproducible:

Sporadically during Cockpit testing.
Comment 1 Stef Walter 2015-08-25 03:22:09 EDT
realmd-0.14.6-6.el7.x86_64
sssd-1.12.2-58.el7_1.14.x86_64
bind-utils-9.9.4-18.el7_1.3.x86_64
Comment 2 Stef Walter 2015-08-25 03:30:07 EDT
This problem was caught by Cockpit integration testing.

We'll be committing a work around to the Cockpit integration tests, to ignore this issue until it's fixed: https://github.com/cockpit-project/cockpit/pull/2613
Comment 4 Milos Malik 2015-08-25 03:41:04 EDT
Where is the nsswitch.conf file located ? The same file in usual location should be labeled differently:

# matchpathcon /etc/nsswitch.conf
/etc/nsswitch.conf	system_u:object_r:etc_t:s0
#
Comment 5 Stef Walter 2015-08-25 04:47:47 EDT
I'm not aware of any way to move the nsswitch.conf file.

sssd is running nsupdate. nsupdate is accessing /etc/nsswitch.conf (likely via glibc, as many processes do).

realmd does run authconfig, which does change the /etc/nsswitch.conf file. Perhaps it's not getting labelled correctly when that happens?
Comment 6 Lukas Vrabec 2015-08-25 07:03:40 EDT
Hi Stef, 
Yes, nsswitch.conf is not labelled correctly. 

Is it possible to reproduce it always?
Comment 7 Miroslav Grepl 2015-08-25 11:13:10 EDT
nsswitch.conf is labeled as realmd_var_lib_t. It means it has been moved from /var/lib/ipa-client. 

Is this a test issue or is this something where we need to run restorecon?

What does

# ls -lZ /etc/nsswitch.conf

after re-testing?
Comment 10 Miroslav Grepl 2016-04-25 11:46:03 EDT
Are you still getting it?
Comment 11 Stef Walter 2016-04-26 04:55:10 EDT
Hmmm, this isn't tracked by a "known issue" in our testing system. So we don't have data on how often it occurs.

I've made a pull request to start to remove the workaround for this issue, and we can see within the next week or so if it happens again:

https://github.com/cockpit-project/cockpit/pull/4289
Comment 12 Miroslav Grepl 2016-05-03 07:40:20 EDT
Ok, please reopen the bug if you can get it again.

Thank you.

Note You need to log in before you can comment on or make changes to this bug.