1373265 – sssd need write access to /etc/sssd/

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1373265 - sssd need write access to /etc/sssd/

Summary: sssd need write access to /etc/sssd/

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-09-05 15:58 UTC by Patrik Kis
Modified:	2017-02-13 09:44 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-02-13 09:44:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1350535	0	medium	CLOSED	sssd needs access to /etc/sssd/conf.d	2021-02-22 00:41:40 UTC
Red Hat Bugzilla	1378108	0	medium	CLOSED	AVC denial: scontext=system_u:system_r:sssd_selinux_manager_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=...	2021-02-22 00:41:40 UTC

Internal Links: 1350535 1378108

Description Patrik Kis 2016-09-05 15:58:17 UTC

Description of problem:
type=SYSCALL msg=audit(09/05/2016 11:43:50.109:373) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f775c0aa1ba a1=O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW a2=0600 a3=0x30733a745f666e6f items=0 ppid=1 pid=17609 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/05/2016 11:43:50.109:373) : avc:  denied  { write } for  pid=17609 comm=sssd name=sssd dev="dm-0" ino=51240645 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=dir 

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-96.el7.noarch

How reproducible:
always

Steps to Reproduce:
# ipa-client-install --uninstall

Comment 1 Patrik Kis 2016-09-06 07:22:54 UTC

A few more AVC denial appeared in permissive mode:

----
type=SYSCALL msg=audit(09/06/2016 03:18:12.063:438) : arch=x86_64 syscall=open success=yes exit=6 a0=0x7f9078cf61ba a1=O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW a2=0600 a3=0x30733a745f666e6f items=0 ppid=1 pid=16303 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:18:12.063:438) : avc:  denied  { write } for  pid=16303 comm=sssd path=/etc/sssd/sssd.conf dev="dm-0" ino=101340868 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
type=AVC msg=audit(09/06/2016 03:18:12.063:438) : avc:  denied  { create } for  pid=16303 comm=sssd name=sssd.conf scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
type=AVC msg=audit(09/06/2016 03:18:12.063:438) : avc:  denied  { add_name } for  pid=16303 comm=sssd name=sssd.conf scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=dir 
type=AVC msg=audit(09/06/2016 03:18:12.063:438) : avc:  denied  { write } for  pid=16303 comm=sssd name=sssd dev="dm-0" ino=101108507 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(09/06/2016 03:18:12.073:439) : arch=x86_64 syscall=fchown success=yes exit=0 a0=0x6 a1=0x0 a2=0x0 a3=0x7ffde293f570 items=0 ppid=1 pid=16303 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:18:12.073:439) : avc:  denied  { setattr } for  pid=16303 comm=sssd name=sssd.conf dev="dm-0" ino=101340868 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(09/06/2016 03:18:12.746:440) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x10 a1=0x7ffde293fa20 a2=0x29 a3=0x7ffde293f780 items=0 ppid=16303 pid=16304 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:18:12.746:440) : avc:  denied  { create } for  pid=16304 comm=sssd name=sbus-monitor scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=sock_file 
----
type=SYSCALL msg=audit(09/06/2016 03:18:12.747:441) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x7f9079e31db0 a1=0777 a2=0x1 a3=0x7ffde293f780 items=0 ppid=16303 pid=16304 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:18:12.747:441) : avc:  denied  { setattr } for  pid=16304 comm=sssd name=sbus-monitor dev="dm-0" ino=33605410 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=sock_file 
----
type=SYSCALL msg=audit(09/06/2016 03:18:12.747:442) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x7f9079e2e2ba a1=0x7ffde293fdb0 a2=0x7ffde293fdb0 a3=0x7ffde293f9d0 items=0 ppid=16303 pid=16304 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:18:12.747:442) : avc:  denied  { getattr } for  pid=16304 comm=sssd path=/var/lib/sss/pipes/private/sbus-monitor dev="dm-0" ino=33605410 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=sock_file 
----
type=SYSCALL msg=audit(09/06/2016 03:18:12.756:443) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x11 a1=0x7fff6536e710 a2=0x29 a3=0x7fff6536e480 items=0 ppid=16304 pid=16305 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_be exe=/usr/libexec/sssd/sssd_be subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:18:12.756:443) : avc:  denied  { write } for  pid=16305 comm=sssd_be name=sbus-monitor dev="dm-0" ino=33605410 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=sock_file 
----
type=SYSCALL msg=audit(09/06/2016 03:19:23.916:451) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x7f9078cf53cf a1=0x7ffde293fc44 a2=0xfffffffffffffe50 a3=0x0 items=0 ppid=1 pid=16304 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:19:23.916:451) : avc:  denied  { unlink } for  pid=16304 comm=sssd name=sssd.pid dev="tmpfs" ino=92615 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(09/06/2016 03:19:23.916:452) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x7f9079e251d0 a1=0x0 a2=0x2f a3=0x7ffde293f7a0 items=0 ppid=1 pid=16304 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:19:23.916:452) : avc:  denied  { unlink } for  pid=16304 comm=sssd name=sbus-monitor dev="dm-0" ino=33605410 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=sock_file 
----
type=SYSCALL msg=audit(09/06/2016 03:19:24.012:455) : arch=x86_64 syscall=open success=yes exit=13 a0=0x7f1b614b2cf0 a1=O_RDWR|O_CREAT a2=0666 a3=0x3 items=0 ppid=16473 pid=16474 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:19:24.012:455) : avc:  denied  { write } for  pid=16474 comm=sssd name=sssd.ldb dev="dm-0" ino=33605407 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(09/06/2016 03:19:24.012:456) : arch=x86_64 syscall=chown success=yes exit=0 a0=0x7f1b614b32b0 a1=root a2=root a3=0x7ffebf42d390 items=0 ppid=16473 pid=16474 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:19:24.012:456) : avc:  denied  { setattr } for  pid=16474 comm=sssd name=cache_shadowutils.ldb dev="dm-0" ino=33605408 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(09/06/2016 03:19:25.104:463) : arch=x86_64 syscall=open success=yes exit=13 a0=0x7f575f12dbf0 a1=O_RDWR|O_CREAT a2=0666 a3=0x3 items=0 ppid=16559 pid=16560 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:19:25.104:463) : avc:  denied  { write } for  pid=16560 comm=sssd name=sssd.ldb dev="dm-0" ino=33605407 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(09/06/2016 03:19:25.104:464) : arch=x86_64 syscall=chown success=yes exit=0 a0=0x7f575f12e260 a1=root a2=root a3=0x7ffe0b83e860 items=0 ppid=16559 pid=16560 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:19:25.104:464) : avc:  denied  { setattr } for  pid=16560 comm=sssd name=cache_shadowutils.ldb dev="dm-0" ino=33605408 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(09/06/2016 03:20:24.960:474) : arch=x86_64 syscall=open success=yes exit=13 a0=0x7f4108c127c0 a1=O_RDWR|O_CREAT a2=0666 a3=0x3 items=0 ppid=16836 pid=16837 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:20:24.960:474) : avc:  denied  { write } for  pid=16837 comm=sssd name=sssd.ldb dev="dm-0" ino=33605407 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(09/06/2016 03:20:24.960:475) : arch=x86_64 syscall=chown success=yes exit=0 a0=0x7f4108c12eb0 a1=root a2=root a3=0x7ffceb0a6830 items=0 ppid=16836 pid=16837 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(09/06/2016 03:20:24.960:475) : avc:  denied  { setattr } for  pid=16837 comm=sssd name=cache_shadowutils.ldb dev="dm-0" ino=33605408 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file

Comment 3 Lukas Slebodnik 2016-09-06 07:39:26 UTC

(In reply to Patrik Kis from comment #1)
> A few more AVC denial appeared in permissive mode:
> 
> ----
> type=SYSCALL msg=audit(09/06/2016 03:18:12.063:438) : arch=x86_64
> syscall=open success=yes exit=6 a0=0x7f9078cf61ba
> a1=O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW a2=0600 a3=0x30733a745f666e6f items=0
> ppid=1 pid=16303 auid=unset uid=root gid=root euid=root suid=root fsuid=root
> egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd
> exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
> type=AVC msg=audit(09/06/2016 03:18:12.063:438) : avc:  denied  { write }
> for  pid=16303 comm=sssd path=/etc/sssd/sssd.conf dev="dm-0" ino=101340868
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
> type=AVC msg=audit(09/06/2016 03:18:12.063:438) : avc:  denied  { create }
> for  pid=16303 comm=sssd name=sssd.conf scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
> type=AVC msg=audit(09/06/2016 03:18:12.063:438) : avc:  denied  { add_name }
> for  pid=16303 comm=sssd name=sssd.conf scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=dir 
> type=AVC msg=audit(09/06/2016 03:18:12.063:438) : avc:  denied  { write }
> for  pid=16303 comm=sssd name=sssd dev="dm-0" ino=101108507
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=dir 
> ----
> type=SYSCALL msg=audit(09/06/2016 03:18:12.073:439) : arch=x86_64
> syscall=fchown success=yes exit=0 a0=0x6 a1=0x0 a2=0x0 a3=0x7ffde293f570
> items=0 ppid=1 pid=16303 auid=unset uid=root gid=root euid=root suid=root
> fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd
> exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
> type=AVC msg=audit(09/06/2016 03:18:12.073:439) : avc:  denied  { setattr }
> for  pid=16303 comm=sssd name=sssd.conf dev="dm-0" ino=101340868
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
> ----
It is caused by copying default config /usr/lib64/sssd/conf/sssd.conf 
if /etc/sssd/sssd.conf does not exist.

> type=SYSCALL msg=audit(09/06/2016 03:18:12.746:440) : arch=x86_64
> syscall=bind success=yes exit=0 a0=0x10 a1=0x7ffde293fa20 a2=0x29
> a3=0x7ffde293f780 items=0 ppid=16303 pid=16304 auid=unset uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
> ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0
> key=(null) 
> type=AVC msg=audit(09/06/2016 03:18:12.746:440) : avc:  denied  { create }
> for  pid=16304 comm=sssd name=sbus-monitor
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=sock_file
> ----
> type=SYSCALL msg=audit(09/06/2016 03:18:12.747:441) : arch=x86_64
> syscall=chmod success=yes exit=0 a0=0x7f9079e31db0 a1=0777 a2=0x1
> a3=0x7ffde293f780 items=0 ppid=16303 pid=16304 auid=unset uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
> ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0
> key=(null) 
> type=AVC msg=audit(09/06/2016 03:18:12.747:441) : avc:  denied  { setattr }
> for  pid=16304 comm=sssd name=sbus-monitor dev="dm-0" ino=33605410
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=sock_file 
> ----
> type=SYSCALL msg=audit(09/06/2016 03:18:12.747:442) : arch=x86_64
> syscall=stat success=yes exit=0 a0=0x7f9079e2e2ba a1=0x7ffde293fdb0
> a2=0x7ffde293fdb0 a3=0x7ffde293f9d0 items=0 ppid=16303 pid=16304 auid=unset
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd
> subj=system_u:system_r:sssd_t:s0 key=(null) 
> type=AVC msg=audit(09/06/2016 03:18:12.747:442) : avc:  denied  { getattr }
> for  pid=16304 comm=sssd path=/var/lib/sss/pipes/private/sbus-monitor
> dev="dm-0" ino=33605410 scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=sock_file 
> ----
> type=SYSCALL msg=audit(09/06/2016 03:18:12.756:443) : arch=x86_64
> syscall=connect success=yes exit=0 a0=0x11 a1=0x7fff6536e710 a2=0x29
> a3=0x7fff6536e480 items=0 ppid=16304 pid=16305 auid=unset uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
> ses=unset comm=sssd_be exe=/usr/libexec/sssd/sssd_be
> subj=system_u:system_r:sssd_t:s0 key=(null) 
> type=AVC msg=audit(09/06/2016 03:18:12.756:443) : avc:  denied  { write }
> for  pid=16305 comm=sssd_be name=sbus-monitor dev="dm-0" ino=33605410
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=sock_file
Previous seems to be related to /var/lib/sss/pipes/private/sbus-monitor
But I do not understand why tcontext is system_u:object_r:sssd_conf_t:s0.


> ----
> type=SYSCALL msg=audit(09/06/2016 03:19:23.916:451) : arch=x86_64
> syscall=unlink success=yes exit=0 a0=0x7f9078cf53cf a1=0x7ffde293fc44
> a2=0xfffffffffffffe50 a3=0x0 items=0 ppid=1 pid=16304 auid=unset uid=root
> gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
> tty=(none) ses=unset comm=sssd exe=/usr/sbin/sssd
> subj=system_u:system_r:sssd_t:s0 key=(null) 
> type=AVC msg=audit(09/06/2016 03:19:23.916:451) : avc:  denied  { unlink }
> for  pid=16304 comm=sssd name=sssd.pid dev="tmpfs" ino=92615
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
> ----


> type=SYSCALL msg=audit(09/06/2016 03:19:23.916:452) : arch=x86_64
> syscall=unlink success=yes exit=0 a0=0x7f9079e251d0 a1=0x0 a2=0x2f
> a3=0x7ffde293f7a0 items=0 ppid=1 pid=16304 auid=unset uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
> ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0
> key=(null) 
> type=AVC msg=audit(09/06/2016 03:19:23.916:452) : avc:  denied  { unlink }
> for  pid=16304 comm=sssd name=sbus-monitor dev="dm-0" ino=33605410
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=sock_file 
> ----
> type=SYSCALL msg=audit(09/06/2016 03:19:24.012:455) : arch=x86_64
> syscall=open success=yes exit=13 a0=0x7f1b614b2cf0 a1=O_RDWR|O_CREAT a2=0666
> a3=0x3 items=0 ppid=16473 pid=16474 auid=unset uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
> comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0 key=(null) 
> type=AVC msg=audit(09/06/2016 03:19:24.012:455) : avc:  denied  { write }
> for  pid=16474 comm=sssd name=sssd.ldb dev="dm-0" ino=33605407
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 
> ----
> type=SYSCALL msg=audit(09/06/2016 03:19:24.012:456) : arch=x86_64
> syscall=chown success=yes exit=0 a0=0x7f1b614b32b0 a1=root a2=root
> a3=0x7ffebf42d390 items=0 ppid=16473 pid=16474 auid=unset uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
> ses=unset comm=sssd exe=/usr/sbin/sssd subj=system_u:system_r:sssd_t:s0
> key=(null) 
> type=AVC msg=audit(09/06/2016 03:19:24.012:456) : avc:  denied  { setattr }
> for  pid=16474 comm=sssd name=cache_shadowutils.ldb dev="dm-0" ino=33605408
> scontext=system_u:system_r:sssd_t:s0
> tcontext=system_u:object_r:sssd_conf_t:s0 tclass=file 

cache_shadowutils.ldb says that default configuration was used.
But I do not understand why there is a wrong SELinux context there.

Comment 4 Milos Malik 2016-09-06 07:52:15 UTC

It's weird that /var/lib/sss/pipes/private/sbus-monitor is labeled sssd_conf_t. And sssd.pid should not be labeled sssd_conf_t.

Comment 5 Lukas Slebodnik 2016-09-08 11:17:02 UTC

Just for your information.
The feature of copying default sssd.conf (/usr/lib64/sssd/conf/sssd.conf)
was reverted for rhel7.3 in sssd-1.14.0-36.el7

Comment 6 Patrik Kis 2016-09-20 09:04:16 UTC

A new AVC denial appeared:

type=SYSCALL msg=audit(1473934873.287:1068): arch=c0000015 syscall=40 success=no exit=-13 a0=3fffc7d6ad88 a1=0 a2=3fff87d90fd0 a3=0 items=0 ppid=29209 pid=29496 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="selinux_child" exe="/usr/libexec/sssd/selinux_child" subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)
type=AVC msg=audit(1473934873.287:1068): avc:  denied  { rmdir } for  pid=29496 comm="selinux_child" name="contexts" dev="dm-0" ino=101862232 scontext=system_u:system_r:sssd_selinux_manager_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir

Comment 8 Lukas Slebodnik 2016-09-20 09:57:02 UTC

(In reply to Patrik Kis from comment #6)
> A new AVC denial appeared:
> 
> type=SYSCALL msg=audit(1473934873.287:1068): arch=c0000015 syscall=40
> success=no exit=-13 a0=3fffc7d6ad88 a1=0 a2=3fff87d90fd0 a3=0 items=0
> ppid=29209 pid=29496 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="selinux_child"
> exe="/usr/libexec/sssd/selinux_child"
> subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)
> type=AVC msg=audit(1473934873.287:1068): avc:  denied  { rmdir } for 
> pid=29496 comm="selinux_child" name="contexts" dev="dm-0" ino=101862232
> scontext=system_u:system_r:sssd_selinux_manager_t:s0
> tcontext=system_u:object_r:default_context_t:s0 tclass=dir

This is unrelated to this this BZ; file a new one.

Comment 9 Patrik Kis 2016-09-21 13:47:58 UTC

(In reply to Lukas Slebodnik from comment #8)
> (In reply to Patrik Kis from comment #6)
> 
> This is unrelated to this this BZ; file a new one.

Right. See bug 1378108.

Comment 10 Lukas Slebodnik 2017-02-07 14:26:10 UTC

This feature was reverted in sssd upstream.
And will be part of sssd-1.15.1

Comment 11 Lukas Slebodnik 2017-02-07 14:26:35 UTC

Feel free to close it.

Note You need to log in before you can comment on or make changes to this bug.