1534624 – SELinux prevents sslh from searching in /var/lib/sss directory

Bug 1534624 - SELinux prevents sslh from searching in /var/lib/sss directory

Summary: SELinux prevents sslh from searching in /var/lib/sss directory

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	27
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-01-15 15:38 UTC by Milos Malik
Modified:	2018-02-06 15:31 UTC (History)
CC List:	6 users (show)
Fixed In Version:	selinux-policy-3.13.1-283.24.fc27
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-02-06 15:31:25 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Milos Malik 2018-01-15 15:38:53 UTC

Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-283.16.fc27.noarch
selinux-policy-targeted-3.13.1-283.16.fc27.noarch
sslh-1.18-4.fc27.x86_64

How reproducible:
* always

Steps to Reproduce:
1. get a Fedora27 machine (targeted policy is active)
2. start the sslh service
3. search for SELinux denials

Actual results (enforcing mode):
----
type=AVC msg=audit(01/15/2018 10:32:04.564:400) : avc:  denied  { search } for  pid=18259 comm=sslh name=sss dev="vda1" ino=5199 scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 
----

Expected results:
* no SELinux denials

Additional info:
The sssd service was running and nsswitch was configured in following way:
# grep sss /etc/nsswitch.conf
passwd:      sss files systemd
shadow:     files sss
group:       sss files systemd
services:   files sss
netgroup:   nisplus sss
#

Comment 1 Lukas Vrabec 2018-01-15 16:19:53 UTC

Could you test it in permissive mode?

Comment 2 Milos Malik 2018-01-15 16:35:51 UTC

Caught in permissive mode:
----
type=AVC msg=audit(01/15/2018 11:34:36.690:451) : avc:  denied  { read } for  pid=21970 comm=sslh name=passwd dev="vda1" ino=11779 scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(01/15/2018 11:34:36.691:452) : avc:  denied  { open } for  pid=21970 comm=sslh path=/var/lib/sss/mc/passwd dev="vda1" ino=11779 scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(01/15/2018 11:34:36.691:453) : avc:  denied  { getattr } for  pid=21970 comm=sslh path=/var/lib/sss/mc/passwd dev="vda1" ino=11779 scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(01/15/2018 11:34:36.691:454) : avc:  denied  { map } for  pid=21970 comm=sslh path=/var/lib/sss/mc/passwd dev="vda1" ino=11779 scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(01/15/2018 11:34:36.691:455) : avc:  denied  { write } for  pid=21970 comm=sslh name=nss dev="vda1" ino=845 scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 
----
type=AVC msg=audit(01/15/2018 11:34:36.691:456) : avc:  denied  { connectto } for  pid=21970 comm=sslh path=/var/lib/sss/pipes/nss scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
----

Comment 3 Fedora Update System 2018-01-30 16:41:06 UTC

selinux-policy-3.13.1-283.24.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8

Comment 4 Fedora Update System 2018-01-31 22:44:52 UTC

selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8

Comment 5 Fedora Update System 2018-02-06 15:31:25 UTC

selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.