Bug 1416780 - Update SELinux policy for SSSD
Summary: Update SELinux policy for SSSD
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Mirek Jahoda
URL:
Whiteboard:
: 1417742 (view as bug list)
Depends On: 1411437
Blocks: 1396912 1419836
TreeView+ depends on / blocked
 
Reported: 2017-01-26 11:34 UTC by Lukas Slebodnik
Modified: 2017-08-01 15:22 UTC (History)
16 users (show)

Fixed In Version: selinux-policy-3.13.1-118.el7
Doc Type: Bug Fix
Doc Text:
The System Security Services Daemon (SSSD) code was previously updated, and the daemon started using the setpgid() function to set process group ID (PGID). However, an appropriate rule was missing in SELinux. Consequently, SELinux AVC denials for SSSD occurred. The policy rule for setpgid() has been added to the sssd_t context, and SSSD can now set PGID successfully.
Clone Of: 1411437
: 1419836 (view as bug list)
Environment:
Last Closed: 2017-08-01 15:22:43 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1861 0 normal SHIPPED_LIVE selinux-policy bug fix update 2017-08-01 17:50:24 UTC

Description Lukas Slebodnik 2017-01-26 11:34:18 UTC
+++ This bug was initially created as a clone of Bug #1411437 +++

Due to some changes in SSSD code I've been hitting the following AVC:

Jan 09 14:31:50 client1.ipa.example audit[11625]: AVC avc:  denied  { setpgid } for  pid=11625 comm="sssd_be" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

Jan 09 14:31:50 client1.ipa.example audit[11629]: AVC avc:  denied  { setpgid } for  pid=11629 comm="sssd_ssh" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

Jan 09 14:31:50 client1.ipa.example audit[11627]: AVC avc:  denied  { setpgid } for  pid=11627 comm="sssd_sudo" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

Jan 09 14:31:50 client1.ipa.example audit[11628]: AVC avc:  denied  { setpgid } for  pid=11628 comm="sssd_pam" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

Jan 09 14:31:50 client1.ipa.example audit[11626]: AVC avc:  denied  { setpgid } for  pid=11626 comm="sssd_nss" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

Jan 09 14:31:50 client1.ipa.example audit[11630]: AVC avc:  denied  { setpgid } for  pid=11630 comm="sssd_pac" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

So, the policy has to be updated for the following binaries:
- sssd_autofs
- sssd_be
- sssd_ifp
- sssd_nss
- sssd_pac
- sssd_pam
- sssd_secrets
- sssd_ssh
- sssd_sudo

Comment 2 Milos Malik 2017-01-26 11:52:34 UTC
Do you see any additional AVCs after switching the sssd_t domain to permissive?

# semanage permissive -a sssd_t
(re-run your scenario)
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Comment 4 Lukas Slebodnik 2017-01-26 12:26:42 UTC
(In reply to Milos Malik from comment #2)
> Do you see any additional AVCs after switching the sssd_t domain to
> permissive?
>
It is the only new AVC.

sssd didn't call setpgid before but it was introduced as part of ticket
https://fedorahosted.org/sssd/ticket/3266#comment:3

Do you still want to see AVCs in permissive mode? or the explanation is enough for you.

Comment 6 Milos Malik 2017-01-26 12:53:02 UTC
I would like to see the output of ausearch at least in enforcing mode. It usually shows more information. Thank you.

Comment 7 Lukas Slebodnik 2017-01-26 12:55:21 UTC
(In reply to Milos Malik from comment #6)
> I would like to see the output of ausearch at least in enforcing mode. It
> usually shows more information. Thank you.

I'll do that after building the package. I do not want to provide output which is not from rhel.

Comment 9 Lukas Slebodnik 2017-02-01 12:07:55 UTC
Enforcing:

type=SYSCALL msg=audit(02/01/2017 07:03:18.086:129) : arch=x86_64 syscall=setpgid success=no exit=EACCES(Permission denied) a0=0x3df9 a1=0x3df9 a2=0x3df9 a3=0x7ffd15314c80 items=0 ppid=15864 pid=15865 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_be exe=/usr/libexec/sssd/sssd_be subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(02/01/2017 07:03:18.086:129) : avc:  denied  { setpgid } for  pid=15865 comm=sssd_be scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process 
----
type=SYSCALL msg=audit(02/01/2017 07:03:18.134:130) : arch=x86_64 syscall=setpgid success=no exit=EACCES(Permission denied) a0=0x3dfa a1=0x3dfa a2=0x3dfa a3=0x7fffc25a8cb0 items=0 ppid=15864 pid=15866 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_nss exe=/usr/libexec/sssd/sssd_nss subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(02/01/2017 07:03:18.134:130) : avc:  denied  { setpgid } for  pid=15866 comm=sssd_nss scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process 
----
type=SYSCALL msg=audit(02/01/2017 07:03:18.135:131) : arch=x86_64 syscall=setpgid success=no exit=EACCES(Permission denied) a0=0x3dfb a1=0x3dfb a2=0x3dfb a3=0x7ffd9479c860 items=0 ppid=15864 pid=15867 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_pam exe=/usr/libexec/sssd/sssd_pam subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(02/01/2017 07:03:18.135:131) : avc:  denied  { setpgid } for  pid=15867 comm=sssd_pam scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process 


Permissive:
type=SYSCALL msg=audit(02/01/2017 07:06:36.069:418) : arch=x86_64 syscall=setpgid success=yes exit=0 a0=0x44d7 a1=0x44d7 a2=0x44d7 a3=0x7ffdb106cda0 items=0 ppid=17622 pid=17623 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_be exe=/usr/libexec/sssd/sssd_be subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(02/01/2017 07:06:36.069:418) : avc:  denied  { setpgid } for  pid=17623 comm=sssd_be scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process

Comment 10 Lukas Vrabec 2017-02-01 14:28:06 UTC
*** Bug 1417742 has been marked as a duplicate of this bug. ***

Comment 21 errata-xmlrpc 2017-08-01 15:22:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861


Note You need to log in before you can comment on or make changes to this bug.