Bug 1520332 - A new policy should be added to allow sssd_pac to access libaesni-intel-samba4.so
Summary: A new policy should be added to allow sssd_pac to access libaesni-intel-samba...
Keywords:
Status: CLOSED DUPLICATE of bug 1520163
Alias: None
Product: Fedora
Classification: Fedora
Component: samba
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-12-04 09:31 UTC by Fabiano Fidêncio
Modified: 2017-12-04 10:59 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-04 10:57:39 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Fabiano Fidêncio 2017-12-04 09:31:22 UTC 
This issue happens with https://bodhi.fedoraproject.org/updates/FEDORA-2017-46d55b2108

Dec 04 10:12:36 pessoa audit[3989]: AVC avc:  denied  { execstack } for  pid=3989 comm="sssd_pac" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0
Dec 04 10:12:36 pessoa sssd[3982]: /usr/libexec/sssd/sssd_pac: error while loading shared libraries: libaesni-intel-samba4.so: cannot enable executable stack as shared object requires: Permission denied
Dec 04 10:12:39 pessoa dbus-daemon[965]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.31' (uid=0 pid=933 comm="/usr/sbin/sedispatch " label="system_u:system_r:audisp_t:s0") (using servicehelper)
Dec 04 10:12:40 pessoa dbus-daemon[965]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Dec 04 10:12:43 pessoa setroubleshoot[3991]: SELinux is preventing sssd_pac from using the execstack access on a process. For complete SELinux messages run: sealert -l c7db38d4-80d7-4a9f-890e-3522b2b11231
Dec 04 10:12:43 pessoa python3[3991]: SELinux is preventing sssd_pac from using the execstack access on a process.
                                      
                                      *****  Plugin catchall (100. confidence) suggests   **************************
                                      
                                      If you believe that sssd_pac should be allowed execstack access on processes labeled sssd_t by default
                                      Then you should report this as a bug.
                                      You can generate a local policy module to allow this access.
                                      Do
                                      allow this access for now by executing:
                                      # ausearch -c 'sssd_pac' --raw | audit2allow -M my-sssdpac
                                      # semodule -X 300 -i my-sssdpac.pp


Please, let me know if some info is needed.
Comment 1 Lukas Slebodnik 2017-12-04 09:42:51 UTC 
I would say that it is related to the update 4.7.3-1
"Enable AES acceleration on Intel compatible CPUs by default"

But I do not think we should allow executing something on stack.
   execstack     Make the main process stack executable.

And if really want that then there should be a boolean which is disabled by default.

Anyway moving to samba.
Comment 2 Sumit Bose 2017-12-04 10:04:28 UTC 
JFYI, sssd_pac just links libndr-krb5pac.so to parse (the already decrypted) NDR encoded PAC. Is libaesni-intel-samba4.so really needed for NDR processing? (The next question would be if the performance improvement really justifies the risks of an executable stack?)
Comment 3 Fabiano Fidêncio 2017-12-04 10:08:26 UTC 
Seems that the issue may actually be on Samba side (https://bugzilla.redhat.com/show_bug.cgi?id=1520163).

Andreas is doing a new build and I'll close this bug if his build solves the issue.
Comment 4 Fabiano Fidêncio 2017-12-04 10:57:39 UTC 
Okay, this bug is actually a DUP of 1520163.

*** This bug has been marked as a duplicate of bug 1520163 ***
Comment 5 Fabiano Fidêncio 2017-12-04 10:59:29 UTC 
JFTR: I've tested https://koji.fedoraproject.org/koji/taskinfo?taskID=23542441
Note You need to log in before you can comment on or make changes to this bug.