Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1411437 - Update SELinux policy for SSSD (for Fedora 24+)
Summary: Update SELinux policy for SSSD (for Fedora 24+)
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 25
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1418674 (view as bug list)
Depends On:
Blocks: 1416780
TreeView+ depends on / blocked
 
Reported: 2017-01-09 17:35 UTC by Fabiano Fidêncio
Modified: 2017-07-04 06:59 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1416780 (view as bug list)
Environment:
Last Closed: 2017-07-04 06:59:17 UTC
Type: Bug


Attachments (Terms of Use)

Description Fabiano Fidêncio 2017-01-09 17:35:56 UTC
Due to some changes in SSSD code I've been hitting the following AVC:

Jan 09 14:31:50 client1.ipa.example audit[11625]: AVC avc:  denied  { setpgid } for  pid=11625 comm="sssd_be" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

Jan 09 14:31:50 client1.ipa.example audit[11629]: AVC avc:  denied  { setpgid } for  pid=11629 comm="sssd_ssh" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

Jan 09 14:31:50 client1.ipa.example audit[11627]: AVC avc:  denied  { setpgid } for  pid=11627 comm="sssd_sudo" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

Jan 09 14:31:50 client1.ipa.example audit[11628]: AVC avc:  denied  { setpgid } for  pid=11628 comm="sssd_pam" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

Jan 09 14:31:50 client1.ipa.example audit[11626]: AVC avc:  denied  { setpgid } for  pid=11626 comm="sssd_nss" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

Jan 09 14:31:50 client1.ipa.example audit[11630]: AVC avc:  denied  { setpgid } for  pid=11630 comm="sssd_pac" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

So, the policy has to be updated for the following binaries:
- sssd_autofs
- sssd_be
- sssd_ifp
- sssd_nss
- sssd_pac
- sssd_pam
- sssd_secrets
- sssd_ssh
- sssd_sudo

Comment 1 Lukas Slebodnik 2017-02-02 13:47:58 UTC
*** Bug 1418674 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.