Bug 1534624 - SELinux prevents sslh from searching in /var/lib/sss directory
Summary: SELinux prevents sslh from searching in /var/lib/sss directory
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-15 15:38 UTC by Milos Malik
Modified: 2018-02-06 15:31 UTC (History)
6 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2018-02-06 15:31:25 UTC


Attachments (Terms of Use)

Description Milos Malik 2018-01-15 15:38:53 UTC
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-283.16.fc27.noarch
selinux-policy-targeted-3.13.1-283.16.fc27.noarch
sslh-1.18-4.fc27.x86_64

How reproducible:
* always

Steps to Reproduce:
1. get a Fedora27 machine (targeted policy is active)
2. start the sslh service
3. search for SELinux denials

Actual results (enforcing mode):
----
type=AVC msg=audit(01/15/2018 10:32:04.564:400) : avc:  denied  { search } for  pid=18259 comm=sslh name=sss dev="vda1" ino=5199 scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 
----

Expected results:
* no SELinux denials

Additional info:
The sssd service was running and nsswitch was configured in following way:
# grep sss /etc/nsswitch.conf
passwd:      sss files systemd
shadow:     files sss
group:       sss files systemd
services:   files sss
netgroup:   nisplus sss
#

Comment 1 Lukas Vrabec 2018-01-15 16:19:53 UTC
Could you test it in permissive mode?

Comment 2 Milos Malik 2018-01-15 16:35:51 UTC
Caught in permissive mode:
----
type=AVC msg=audit(01/15/2018 11:34:36.690:451) : avc:  denied  { read } for  pid=21970 comm=sslh name=passwd dev="vda1" ino=11779 scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(01/15/2018 11:34:36.691:452) : avc:  denied  { open } for  pid=21970 comm=sslh path=/var/lib/sss/mc/passwd dev="vda1" ino=11779 scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(01/15/2018 11:34:36.691:453) : avc:  denied  { getattr } for  pid=21970 comm=sslh path=/var/lib/sss/mc/passwd dev="vda1" ino=11779 scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(01/15/2018 11:34:36.691:454) : avc:  denied  { map } for  pid=21970 comm=sslh path=/var/lib/sss/mc/passwd dev="vda1" ino=11779 scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(01/15/2018 11:34:36.691:455) : avc:  denied  { write } for  pid=21970 comm=sslh name=nss dev="vda1" ino=845 scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 
----
type=AVC msg=audit(01/15/2018 11:34:36.691:456) : avc:  denied  { connectto } for  pid=21970 comm=sslh path=/var/lib/sss/pipes/nss scontext=system_u:system_r:sslh_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
----

Comment 3 Fedora Update System 2018-01-30 16:41:06 UTC
selinux-policy-3.13.1-283.24.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8

Comment 4 Fedora Update System 2018-01-31 22:44:52 UTC
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8

Comment 5 Fedora Update System 2018-02-06 15:31:25 UTC
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.