1416780 – Update SELinux policy for SSSD

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1416780 - Update SELinux policy for SSSD

Summary: Update SELinux policy for SSSD

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Duplicates (1):	1417742 (view as bug list)
Depends On:	1411437
Blocks:	1396912 1419836
TreeView+	depends on / blocked

Reported:	2017-01-26 11:34 UTC by Lukas Slebodnik
Modified:	2017-08-01 15:22 UTC (History)
CC List:	16 users (show)
Fixed In Version:	selinux-policy-3.13.1-118.el7
Doc Type:	Bug Fix
Doc Text:	The System Security Services Daemon (SSSD) code was previously updated, and the daemon started using the setpgid() function to set process group ID (PGID). However, an appropriate rule was missing in SELinux. Consequently, SELinux AVC denials for SSSD occurred. The policy rule for setpgid() has been added to the sssd_t context, and SSSD can now set PGID successfully.
Clone Of:	1411437
Clones:	1419836 (view as bug list)
Environment:
Last Closed:	2017-08-01 15:22:43 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:1861	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2017-08-01 17:50:24 UTC

Description Lukas Slebodnik 2017-01-26 11:34:18 UTC

+++ This bug was initially created as a clone of Bug #1411437 +++

Due to some changes in SSSD code I've been hitting the following AVC:

Jan 09 14:31:50 client1.ipa.example audit[11625]: AVC avc:  denied  { setpgid } for  pid=11625 comm="sssd_be" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

Jan 09 14:31:50 client1.ipa.example audit[11629]: AVC avc:  denied  { setpgid } for  pid=11629 comm="sssd_ssh" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

Jan 09 14:31:50 client1.ipa.example audit[11627]: AVC avc:  denied  { setpgid } for  pid=11627 comm="sssd_sudo" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

Jan 09 14:31:50 client1.ipa.example audit[11628]: AVC avc:  denied  { setpgid } for  pid=11628 comm="sssd_pam" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

Jan 09 14:31:50 client1.ipa.example audit[11626]: AVC avc:  denied  { setpgid } for  pid=11626 comm="sssd_nss" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

Jan 09 14:31:50 client1.ipa.example audit[11630]: AVC avc:  denied  { setpgid } for  pid=11630 comm="sssd_pac" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

So, the policy has to be updated for the following binaries:
- sssd_autofs
- sssd_be
- sssd_ifp
- sssd_nss
- sssd_pac
- sssd_pam
- sssd_secrets
- sssd_ssh
- sssd_sudo

Comment 2 Milos Malik 2017-01-26 11:52:34 UTC

Do you see any additional AVCs after switching the sssd_t domain to permissive?

# semanage permissive -a sssd_t
(re-run your scenario)
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Comment 4 Lukas Slebodnik 2017-01-26 12:26:42 UTC

(In reply to Milos Malik from comment #2)
> Do you see any additional AVCs after switching the sssd_t domain to
> permissive?
>
It is the only new AVC.

sssd didn't call setpgid before but it was introduced as part of ticket
https://fedorahosted.org/sssd/ticket/3266#comment:3

Do you still want to see AVCs in permissive mode? or the explanation is enough for you.

Comment 6 Milos Malik 2017-01-26 12:53:02 UTC

I would like to see the output of ausearch at least in enforcing mode. It usually shows more information. Thank you.

Comment 7 Lukas Slebodnik 2017-01-26 12:55:21 UTC

(In reply to Milos Malik from comment #6)
> I would like to see the output of ausearch at least in enforcing mode. It
> usually shows more information. Thank you.

I'll do that after building the package. I do not want to provide output which is not from rhel.

Comment 9 Lukas Slebodnik 2017-02-01 12:07:55 UTC

Enforcing:

type=SYSCALL msg=audit(02/01/2017 07:03:18.086:129) : arch=x86_64 syscall=setpgid success=no exit=EACCES(Permission denied) a0=0x3df9 a1=0x3df9 a2=0x3df9 a3=0x7ffd15314c80 items=0 ppid=15864 pid=15865 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_be exe=/usr/libexec/sssd/sssd_be subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(02/01/2017 07:03:18.086:129) : avc:  denied  { setpgid } for  pid=15865 comm=sssd_be scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process 
----
type=SYSCALL msg=audit(02/01/2017 07:03:18.134:130) : arch=x86_64 syscall=setpgid success=no exit=EACCES(Permission denied) a0=0x3dfa a1=0x3dfa a2=0x3dfa a3=0x7fffc25a8cb0 items=0 ppid=15864 pid=15866 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_nss exe=/usr/libexec/sssd/sssd_nss subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(02/01/2017 07:03:18.134:130) : avc:  denied  { setpgid } for  pid=15866 comm=sssd_nss scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process 
----
type=SYSCALL msg=audit(02/01/2017 07:03:18.135:131) : arch=x86_64 syscall=setpgid success=no exit=EACCES(Permission denied) a0=0x3dfb a1=0x3dfb a2=0x3dfb a3=0x7ffd9479c860 items=0 ppid=15864 pid=15867 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_pam exe=/usr/libexec/sssd/sssd_pam subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(02/01/2017 07:03:18.135:131) : avc:  denied  { setpgid } for  pid=15867 comm=sssd_pam scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process 


Permissive:
type=SYSCALL msg=audit(02/01/2017 07:06:36.069:418) : arch=x86_64 syscall=setpgid success=yes exit=0 a0=0x44d7 a1=0x44d7 a2=0x44d7 a3=0x7ffdb106cda0 items=0 ppid=17622 pid=17623 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_be exe=/usr/libexec/sssd/sssd_be subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(02/01/2017 07:06:36.069:418) : avc:  denied  { setpgid } for  pid=17623 comm=sssd_be scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process

Comment 10 Lukas Vrabec 2017-02-01 14:28:06 UTC

*** Bug 1417742 has been marked as a duplicate of this bug. ***

Comment 21 errata-xmlrpc 2017-08-01 15:22:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861

Note You need to log in before you can comment on or make changes to this bug.