1275744 – SELinux prevents oddjobd from communicating with SSSD

Bug 1275744 - SELinux prevents oddjobd from communicating with SSSD

Summary: SELinux prevents oddjobd from communicating with SSSD

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.7
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Simon Sekidde
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-10-27 15:51 UTC by Milos Malik
Modified:	2016-09-02 09:02 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.7.19-286.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-05-10 20:02:14 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:0763	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2016-05-10 22:33:46 UTC

Description Milos Malik 2015-10-27 15:51:27 UTC

Description of problem:
 * oddjobd cannot communicate with SSSD when /etc/nsswitch.conf mentions "sss" before "files"

Version-Release number of selected component (if applicable):
oddjob-0.30-5.el6.x86_64
oddjob-mkhomedir-0.30-5.el6.x86_64
selinux-policy-3.7.19-279.el6_7.7.noarch
selinux-policy-doc-3.7.19-279.el6_7.7.noarch
selinux-policy-minimum-3.7.19-279.el6_7.7.noarch
selinux-policy-mls-3.7.19-279.el6_7.7.noarch
selinux-policy-targeted-3.7.19-279.el6_7.7.noarch

How reproducible:
always

Steps to Reproduce:
1. get a RHEL-6.7 machine
2. install, configure and start sssd
3. modify /etc/nsswitch.conf
# grep sss /etc/nsswitch.conf
passwd:     sss files
shadow:     sss files
group:      sss files
services:   sss files
netgroup:   sss files
#
4. call oddjob-mkhomedir via D-bus
# gdbus introspect --system --object-path / --dest com.redhat.oddjob_mkhomedir
5. search for SELinux denials

Actual results (enforcing mode):
----
type=PATH msg=audit(10/27/2015 16:30:45.157:1381) : item=0 name=/var/lib/sss/mc/passwd inode=25543 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_var_lib_t:s0 nametype=NORMAL 
type=CWD msg=audit(10/27/2015 16:30:45.157:1381) :  cwd=/ 
type=SYSCALL msg=audit(10/27/2015 16:30:45.157:1381) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x8b1950 a1=O_RDONLY|O_CLOEXEC a2=0x7ffc5f44007c a3=0x17 items=1 ppid=1 pid=4284 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=oddjobd exe=/usr/sbin/oddjobd subj=system_u:system_r:oddjob_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(10/27/2015 16:30:45.157:1381) : avc:  denied  { search } for  pid=4284 comm=oddjobd name=sss dev=vda3 ino=25543 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir 
----
type=PATH msg=audit(10/27/2015 16:30:45.157:1382) : item=0 name=(null) inode=25543 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_var_lib_t:s0 nametype=NORMAL 
type=SOCKADDR msg=audit(10/27/2015 16:30:45.157:1382) : saddr=local /var/lib/sss/pipes/nss 
type=SYSCALL msg=audit(10/27/2015 16:30:45.157:1382) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x4 a1=0x7ffc5f440040 a2=0x6e a3=0x17 items=1 ppid=1 pid=4284 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=oddjobd exe=/usr/sbin/oddjobd subj=system_u:system_r:oddjob_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(10/27/2015 16:30:45.157:1382) : avc:  denied  { search } for  pid=4284 comm=oddjobd name=sss dev=vda3 ino=25543 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir 
----

Actual results (permissive mode):
----
type=SYSCALL msg=audit(10/27/2015 16:36:19.338:1398) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x4 a1=0x7ffc5f43ffe0 a2=0x7ffc5f43ffe0 a3=0x17 items=0 ppid=1 pid=4284 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=oddjobd exe=/usr/sbin/oddjobd subj=system_u:system_r:oddjob_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(10/27/2015 16:36:19.338:1398) : avc:  denied  { getattr } for  pid=4284 comm=oddjobd path=/var/lib/sss/mc/passwd dev=vda3 ino=25491 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:sssd_public_t:s0 tclass=file 
----
type=PATH msg=audit(10/27/2015 16:36:19.337:1397) : item=0 name=/var/lib/sss/mc/passwd inode=25491 dev=fc:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:sssd_public_t:s0 nametype=NORMAL 
type=CWD msg=audit(10/27/2015 16:36:19.337:1397) :  cwd=/ 
type=SYSCALL msg=audit(10/27/2015 16:36:19.337:1397) : arch=x86_64 syscall=open success=yes exit=4 a0=0x8bcea0 a1=O_RDONLY|O_CLOEXEC a2=0x7ffc5f44007c a3=0x17 items=1 ppid=1 pid=4284 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=oddjobd exe=/usr/sbin/oddjobd subj=system_u:system_r:oddjob_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(10/27/2015 16:36:19.337:1397) : avc:  denied  { open } for  pid=4284 comm=oddjobd name=passwd dev=vda3 ino=25491 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:sssd_public_t:s0 tclass=file 
type=AVC msg=audit(10/27/2015 16:36:19.337:1397) : avc:  denied  { read } for  pid=4284 comm=oddjobd name=passwd dev=vda3 ino=25491 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:sssd_public_t:s0 tclass=file 
type=AVC msg=audit(10/27/2015 16:36:19.337:1397) : avc:  denied  { search } for  pid=4284 comm=oddjobd name=mc dev=vda3 ino=25545 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir 
type=AVC msg=audit(10/27/2015 16:36:19.337:1397) : avc:  denied  { search } for  pid=4284 comm=oddjobd name=sss dev=vda3 ino=25543 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir 
----
type=PATH msg=audit(10/27/2015 16:36:19.338:1399) : item=0 name=(null) inode=370 dev=fc:03 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:sssd_var_lib_t:s0 nametype=NORMAL 
type=SOCKADDR msg=audit(10/27/2015 16:36:19.338:1399) : saddr=local /var/lib/sss/pipes/nss 
type=SYSCALL msg=audit(10/27/2015 16:36:19.338:1399) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x5 a1=0x7ffc5f440040 a2=0x6e a3=0x0 items=1 ppid=1 pid=4284 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=oddjobd exe=/usr/sbin/oddjobd subj=system_u:system_r:oddjob_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(10/27/2015 16:36:19.338:1399) : avc:  denied  { connectto } for  pid=4284 comm=oddjobd path=/var/lib/sss/pipes/nss scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:sssd_t:s0 tclass=unix_stream_socket 
type=AVC msg=audit(10/27/2015 16:36:19.338:1399) : avc:  denied  { write } for  pid=4284 comm=oddjobd name=nss dev=vda3 ino=370 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:sssd_var_lib_t:s0 tclass=sock_file 
----

Expected results:
 * no SELinux denials

Comment 6 errata-xmlrpc 2016-05-10 20:02:14 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0763.html

Note You need to log in before you can comment on or make changes to this bug.