1348447 – SSSD: sssd_ssh should be allowed to name_connect to port 80 for contact OCSP responder

Bug 1348447 - SSSD: sssd_ssh should be allowed to name_connect to port 80 for contact OCSP responder

Summary: SSSD: sssd_ssh should be allowed to name_connect to port 80 for contact OCSP ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	23
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-06-21 08:10 UTC by Martin Stefany
Modified:	2016-07-14 00:24 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.13.1-158.20.fc23 selinux-policy-3.13.1-158.21.fc23
Clone Of:
Environment:
Last Closed:	2016-07-14 00:24:41 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Martin Stefany 2016-06-21 08:10:03 UTC

Description of problem:
SSSD's component sssd_ssh generates SELinux AVCs as it tried to name_connect to port 80 to OCSP responder and gets denied access.


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-158.15.fc23.noarch
selinux-policy-targeted-3.13.1-158.15.fc23.noarch
sssd-1.13.4-3.fc23.x86_64


How reproducible:
User needs to have user certificate in FreeIPA, then try to SSH connect to the system with pubkey authentication.


Steps to Reproduce:
1. Create user in FreeIPA, create userCertificate for the user
2. Let that user SSH into FreeIPA joined host with pubkey authentication
3. Observe AVCs in /var/log/audit/audit.log

Actual results:
type=AVC msg=audit(1466495870.659:9237): avc:  denied  { name_connect } for  pid=27415 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1466495870.660:9238): avc:  denied  { name_connect } for  pid=27415 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0


Expected results:
No AVCs.


Additional info:
- In my case this causes for whole authentication to fail, cause there's also sss_ssh_authotizedkeys having errors, but as requested in https://www.redhat.com/archives/freeipa-users/2016-June/msg00351.html I'm opening bug to fix these AVCs
- I was not able to observe this behaviour on RHEL/CentOS 7.2, only on Fedora 23, maybe because of probably newer SSSD, but still please consider backporting to RHEL/CentOS.

Comment 1 Fedora Update System 2016-06-22 22:59:10 UTC

selinux-policy-3.13.1-158.20.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-4c9c2badcb

Comment 2 Fedora Update System 2016-07-02 20:55:08 UTC

selinux-policy-3.13.1-158.21.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7bed6e7c72

Comment 3 Fedora Update System 2016-07-14 00:23:54 UTC

selinux-policy-3.13.1-158.21.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.