Bug 1378108 - AVC denial: scontext=system_u:system_r:sssd_selinux_manager_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir { rmdir }
Summary: AVC denial: scontext=system_u:system_r:sssd_selinux_manager_t:s0 tcontext=sys...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-21 13:46 UTC by Patrik Kis
Modified: 2017-10-25 14:39 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-10-25 14:39:34 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1373265 0 medium CLOSED sssd need write access to /etc/sssd/ 2021-02-22 00:41:40 UTC

Internal Links: 1373265

Description Patrik Kis 2016-09-21 13:46:05 UTC 
Description of problem:

New AVC denial appeared:

type=SYSCALL msg=audit(1473934873.287:1068): arch=c0000015 syscall=40 success=no exit=-13 a0=3fffc7d6ad88 a1=0 a2=3fff87d90fd0 a3=0 items=0 ppid=29209 pid=29496 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="selinux_child" exe="/usr/libexec/sssd/selinux_child" subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)
type=AVC msg=audit(1473934873.287:1068): avc:  denied  { rmdir } for  pid=29496 comm="selinux_child" name="contexts" dev="dm-0" ino=101862232 scontext=system_u:system_r:sssd_selinux_manager_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir

Version-Release number of selected component (if applicable):
sssd-1.14.0-41.el7
selinux-policy-3.13.1-99.el7

How reproducible:
Seen once so far, while automated test was executed.
With new execution the AVC denial did not appeared again.
Comment 2 Lukas Slebodnik 2016-09-21 14:39:06 UTC 
selinux_child does not call rmdir itself.
it just uses libsemange and libsemanage seems to call rmdir


sh# objdump -T /usr/libexec/sssd/selinux_child | grep rmdir
sh# objdump -p /usr/libexec/sssd/selinux_child | grep semanage
  NEEDED               libsemanage.so.1
  required from libsemanage.so.1:

sh# objdump -T /usr/lib64/libsemanage.so | grep rmdir
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 rmdir
Comment 3 Petr Lautrbach 2016-09-22 10:40:19 UTC 
It seems to be a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1368097 which is supposed to be fixed in selinux-policy-3.13.1-97.el7
Note You need to log in before you can comment on or make changes to this bug.