Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1416780

Summary: Update SELinux policy for SSSD
Product: Red Hat Enterprise Linux 7 Reporter: Lukas Slebodnik <lslebodn>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: urgent Docs Contact: Mirek Jahoda <mjahoda>
Priority: urgent    
Version: 7.3CC: djasa, dominick.grift, dwalsh, extras-qa, fidencio, jhrozek, lslebodn, lvrabec, mgrepl, mjahoda, mmalik, plautrba, pmoore, pvrabec, ssekidde, tscherf
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-118.el7 Doc Type: Bug Fix
Doc Text:
The System Security Services Daemon (SSSD) code was previously updated, and the daemon started using the setpgid() function to set process group ID (PGID). However, an appropriate rule was missing in SELinux. Consequently, SELinux AVC denials for SSSD occurred. The policy rule for setpgid() has been added to the sssd_t context, and SSSD can now set PGID successfully.
 Story Points: ---
Clone Of: 1411437
: 1419836 (view as bug list) Environment:
Last Closed: 2017-08-01 15:22:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1411437    
Bug Blocks: 1396912, 1419836    

Description Lukas Slebodnik 2017-01-26 11:34:18 UTC 
+++ This bug was initially created as a clone of Bug #1411437 +++

Due to some changes in SSSD code I've been hitting the following AVC:

Jan 09 14:31:50 client1.ipa.example audit[11625]: AVC avc:  denied  { setpgid } for  pid=11625 comm="sssd_be" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

Jan 09 14:31:50 client1.ipa.example audit[11629]: AVC avc:  denied  { setpgid } for  pid=11629 comm="sssd_ssh" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

Jan 09 14:31:50 client1.ipa.example audit[11627]: AVC avc:  denied  { setpgid } for  pid=11627 comm="sssd_sudo" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

Jan 09 14:31:50 client1.ipa.example audit[11628]: AVC avc:  denied  { setpgid } for  pid=11628 comm="sssd_pam" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

Jan 09 14:31:50 client1.ipa.example audit[11626]: AVC avc:  denied  { setpgid } for  pid=11626 comm="sssd_nss" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

Jan 09 14:31:50 client1.ipa.example audit[11630]: AVC avc:  denied  { setpgid } for  pid=11630 comm="sssd_pac" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0

So, the policy has to be updated for the following binaries:
- sssd_autofs
- sssd_be
- sssd_ifp
- sssd_nss
- sssd_pac
- sssd_pam
- sssd_secrets
- sssd_ssh
- sssd_sudo
Comment 2 Milos Malik 2017-01-26 11:52:34 UTC 
Do you see any additional AVCs after switching the sssd_t domain to permissive?

# semanage permissive -a sssd_t
(re-run your scenario)
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
Comment 4 Lukas Slebodnik 2017-01-26 12:26:42 UTC 
(In reply to Milos Malik from comment #2)
> Do you see any additional AVCs after switching the sssd_t domain to
> permissive?
>
It is the only new AVC.

sssd didn't call setpgid before but it was introduced as part of ticket
https://fedorahosted.org/sssd/ticket/3266#comment:3

Do you still want to see AVCs in permissive mode? or the explanation is enough for you.
Comment 6 Milos Malik 2017-01-26 12:53:02 UTC 
I would like to see the output of ausearch at least in enforcing mode. It usually shows more information. Thank you.
Comment 7 Lukas Slebodnik 2017-01-26 12:55:21 UTC 
(In reply to Milos Malik from comment #6)
> I would like to see the output of ausearch at least in enforcing mode. It
> usually shows more information. Thank you.

I'll do that after building the package. I do not want to provide output which is not from rhel.
Comment 9 Lukas Slebodnik 2017-02-01 12:07:55 UTC 
Enforcing:

type=SYSCALL msg=audit(02/01/2017 07:03:18.086:129) : arch=x86_64 syscall=setpgid success=no exit=EACCES(Permission denied) a0=0x3df9 a1=0x3df9 a2=0x3df9 a3=0x7ffd15314c80 items=0 ppid=15864 pid=15865 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_be exe=/usr/libexec/sssd/sssd_be subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(02/01/2017 07:03:18.086:129) : avc:  denied  { setpgid } for  pid=15865 comm=sssd_be scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process 
----
type=SYSCALL msg=audit(02/01/2017 07:03:18.134:130) : arch=x86_64 syscall=setpgid success=no exit=EACCES(Permission denied) a0=0x3dfa a1=0x3dfa a2=0x3dfa a3=0x7fffc25a8cb0 items=0 ppid=15864 pid=15866 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_nss exe=/usr/libexec/sssd/sssd_nss subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(02/01/2017 07:03:18.134:130) : avc:  denied  { setpgid } for  pid=15866 comm=sssd_nss scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process 
----
type=SYSCALL msg=audit(02/01/2017 07:03:18.135:131) : arch=x86_64 syscall=setpgid success=no exit=EACCES(Permission denied) a0=0x3dfb a1=0x3dfb a2=0x3dfb a3=0x7ffd9479c860 items=0 ppid=15864 pid=15867 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_pam exe=/usr/libexec/sssd/sssd_pam subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(02/01/2017 07:03:18.135:131) : avc:  denied  { setpgid } for  pid=15867 comm=sssd_pam scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process 


Permissive:
type=SYSCALL msg=audit(02/01/2017 07:06:36.069:418) : arch=x86_64 syscall=setpgid success=yes exit=0 a0=0x44d7 a1=0x44d7 a2=0x44d7 a3=0x7ffdb106cda0 items=0 ppid=17622 pid=17623 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_be exe=/usr/libexec/sssd/sssd_be subj=system_u:system_r:sssd_t:s0 key=(null) 
type=AVC msg=audit(02/01/2017 07:06:36.069:418) : avc:  denied  { setpgid } for  pid=17623 comm=sssd_be scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process
Comment 10 Lukas Vrabec 2017-02-01 14:28:06 UTC 
*** Bug 1417742 has been marked as a duplicate of this bug. ***
Comment 21 errata-xmlrpc 2017-08-01 15:22:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861