Bug 1573059 - Denials for sssd writing /etc/pki/nssdb/key4.db
Summary: Denials for sssd writing /etc/pki/nssdb/key4.db
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 28
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-30 05:12 UTC by Bojan Smojver
Modified: 2018-07-06 15:29 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-06 04:50:24 UTC
Type: Bug


Attachments (Terms of Use)

Description Bojan Smojver 2018-04-30 05:12:37 UTC
Description of problem:
SELinux denials in the audit log.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.14.1-24.fc28.noarch

How reproducible:
Always.

Steps to Reproduce:
1. Run sssd with AD backend.

Actual results:
SELinux denials.

Expected results:
Should be none?

Additional info:

require {
	type sssd_t;
	type cert_t;
	class file write;
}

#============= sssd_t ==============
allow sssd_t cert_t:file write;

Comment 1 Bojan Smojver 2018-06-07 03:06:10 UTC
SELinux is preventing sssd_be from write access on the file /etc/pki/nssdb/cert9.db.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sssd_be should be allowed write access on the cert9.db file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sssd_be' --raw | audit2allow -M my-sssdbe
# semodule -X 300 -i my-sssdbe.pp

Additional Information:
Source Context                system_u:system_r:sssd_t:s0
Target Context                system_u:object_r:cert_t:s0
Target Objects                /etc/pki/nssdb/cert9.db [ file ]
Source                        sssd_be
Source Path                   sssd_be
Port                          <Unknown>
Host                          <host>
Source RPM Packages           
Target RPM Packages           nss-3.36.1-1.1.fc28.x86_64
Policy RPM                    selinux-policy-3.14.1-30.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     <host>
Platform                      Linux <host> 
                              4.16.14-300.fc28.x86_64 #1 SMP Tue Jun 5 16:23:44
                              UTC 2018 x86_64 x86_64
Alert Count                   6
First Seen                    2018-06-02 11:27:56 AEST
Last Seen                     2018-06-07 09:29:42 AEST
Local ID                      afa11844-33ab-4208-ae42-b455401dbcdd

Raw Audit Messages
type=AVC msg=audit(1528327782.378:180): avc:  denied  { write } for  pid=791 comm="sssd_be" name="cert9.db" dev="dm-0" ino=1552 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0


Hash: sssd_be,sssd_t,cert_t,file,write

Comment 2 Lukas Slebodnik 2018-07-05 11:49:01 UTC
(In reply to Bojan Smojver from comment #0)
> Description of problem:
> SELinux denials in the audit log.
> 
> Version-Release number of selected component (if applicable):
> selinux-policy-targeted-3.14.1-24.fc28.noarch
> 
> How reproducible:
> Always.
> 
> Steps to Reproduce:
> 1. Run sssd with AD backend.
> 
> Actual results:
> SELinux denials.
> 
> Expected results:
> Should be none?
> 
> Additional info:
> 
> require {
> 	type sssd_t;
> 	type cert_t;
> 	class file write;
> }
> 
> #============= sssd_t ==============
> allow sssd_t cert_t:file write;

I would recommend you to convert certificates from nss db to PEM certificate.
openldap in fedora 29 will not support nss db anyway.
So it will be better to prepare soon.

Adding openldap maintain to CC to confirm/correct previous statement.

Comment 4 Bojan Smojver 2018-07-05 12:07:01 UTC
Maybe I missed something in the config somewhere. I'll have a look.

Comment 5 Bojan Smojver 2018-07-06 04:50:24 UTC
Yeah, I had that old setting in sssd.conf.

Comment 6 Matus Honek 2018-07-06 15:29:18 UTC
The issue here has been already noticed in bug 1533960 (sorry it's currently internal only) which is in fact a bug in NSS being tracked here: https://bugzilla.mozilla.org/show_bug.cgi?id=1449169

Anyway, as Lukas suggested, go with PEM configuration. NSS-specific support is indeed already removed in F29 (current master).


Note You need to log in before you can comment on or make changes to this bug.