Bug 1284908 - SELinux prevents snort from communicating with sssd
SELinux prevents snort from communicating with sssd
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.1
All Linux
medium Severity medium
: rc
: ---
Assigned To: Simon Sekidde
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-24 07:57 EST by Milos Malik
Modified: 2016-11-03 22:25 EDT (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-83.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-03 22:25:05 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2015-11-24 07:57:41 EST
Description of problem:

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-60.el7.noarch
selinux-policy-devel-3.13.1-60.el7.noarch
selinux-policy-doc-3.13.1-60.el7.noarch
selinux-policy-minimum-3.13.1-60.el7.noarch
selinux-policy-mls-3.13.1-60.el7.noarch
selinux-policy-sandbox-3.13.1-60.el7.noarch
selinux-policy-targeted-3.13.1-60.el7.noarch
snort-2.9.7.6-1.x86_64 ( https://www.snort.org/downloads/snort/snort-2.9.7.6-1.centos7.x86_64.rpm )

How reproducible:
always

Steps to Reproduce:
1. get a RHEL-7.2 machine
2. install, configure and start sssd
3. modify /etc/nsswitch.conf
# grep sss /etc/nsswitch.conf
passwd:     sss files
shadow:     sss files
group:      sss files
services:   sss files
netgroup:   sss files
#
4. service snortd start
5. search for AVCs

Actual results (enforcing mode):
----
type=PATH msg=audit(11/24/2015 13:50:24.997:159) : item=0 name=/var/lib/sss/mc/group objtype=UNKNOWN 
type=CWD msg=audit(11/24/2015 13:50:24.997:159) :  cwd=/var/log/snort 
type=SYSCALL msg=audit(11/24/2015 13:50:24.997:159) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x1b50670 a1=O_RDONLY|O_CLOEXEC a2=0x7fff15cb42f4 a3=0x5 items=1 ppid=3164 pid=3166 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=snort exe=/usr/sbin/snort-plain subj=system_u:system_r:snort_t:s0 key=(null) 
type=AVC msg=audit(11/24/2015 13:50:24.997:159) : avc:  denied  { search } for  pid=3166 comm=snort name=sss dev="vda3" ino=34398191 scontext=system_u:system_r:snort_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir 
----

Actual results (permissive mode):
----
type=PATH msg=audit(11/24/2015 13:56:10.914:183) : item=0 name=/var/lib/sss/mc/passwd inode=17910943 dev=fd:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_public_t:s0 objtype=NORMAL 
type=CWD msg=audit(11/24/2015 13:56:10.914:183) :  cwd=/var/log/snort 
type=SYSCALL msg=audit(11/24/2015 13:56:10.914:183) : arch=x86_64 syscall=open success=yes exit=3 a0=0x2d73690 a1=O_RDONLY|O_CLOEXEC a2=0x7ffc668f2c54 a3=0x7ffc668f2990 items=1 ppid=4066 pid=4068 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=snort exe=/usr/sbin/snort-plain subj=system_u:system_r:snort_t:s0 key=(null) 
type=AVC msg=audit(11/24/2015 13:56:10.914:183) : avc:  denied  { open } for  pid=4068 comm=snort path=/var/lib/sss/mc/passwd dev="vda3" ino=17910943 scontext=system_u:system_r:snort_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file 
type=AVC msg=audit(11/24/2015 13:56:10.914:183) : avc:  denied  { read } for  pid=4068 comm=snort name=passwd dev="vda3" ino=17910943 scontext=system_u:system_r:snort_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file 
----
type=SYSCALL msg=audit(11/24/2015 13:56:10.917:184) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x3 a1=0x7ffc668f2c60 a2=0x7ffc668f2c60 a3=0x7ffc668f29c0 items=0 ppid=4066 pid=4068 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=snort exe=/usr/sbin/snort-plain subj=system_u:system_r:snort_t:s0 key=(null) 
type=AVC msg=audit(11/24/2015 13:56:10.917:184) : avc:  denied  { getattr } for  pid=4068 comm=snort path=/var/lib/sss/mc/passwd dev="vda3" ino=17910943 scontext=system_u:system_r:snort_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file 
----
type=PATH msg=audit(11/24/2015 13:56:10.917:185) : item=0 name=/var/lib/sss/pipes/nss inode=34398178 dev=fd:03 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_var_lib_t:s0 objtype=NORMAL 
type=CWD msg=audit(11/24/2015 13:56:10.917:185) :  cwd=/var/log/snort 
type=SOCKADDR msg=audit(11/24/2015 13:56:10.917:185) : saddr=local /var/lib/sss/pipes/nss 
type=SYSCALL msg=audit(11/24/2015 13:56:10.917:185) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x4 a1=0x7ffc668f2c20 a2=0x6e a3=0x7ffc668f2940 items=1 ppid=4066 pid=4068 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=snort exe=/usr/sbin/snort-plain subj=system_u:system_r:snort_t:s0 key=(null) 
type=AVC msg=audit(11/24/2015 13:56:10.917:185) : avc:  denied  { write } for  pid=4068 comm=snort name=nss dev="vda3" ino=34398178 scontext=system_u:system_r:snort_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file 
----
Comment 5 errata-xmlrpc 2016-11-03 22:25:05 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.