Description of problem: SELinux denials in the audit log. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.14.1-24.fc28.noarch How reproducible: Always. Steps to Reproduce: 1. Run sssd with AD backend. Actual results: SELinux denials. Expected results: Should be none? Additional info: require { type sssd_t; type cert_t; class file write; } #============= sssd_t ============== allow sssd_t cert_t:file write;
SELinux is preventing sssd_be from write access on the file /etc/pki/nssdb/cert9.db. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sssd_be should be allowed write access on the cert9.db file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sssd_be' --raw | audit2allow -M my-sssdbe # semodule -X 300 -i my-sssdbe.pp Additional Information: Source Context system_u:system_r:sssd_t:s0 Target Context system_u:object_r:cert_t:s0 Target Objects /etc/pki/nssdb/cert9.db [ file ] Source sssd_be Source Path sssd_be Port <Unknown> Host <host> Source RPM Packages Target RPM Packages nss-3.36.1-1.1.fc28.x86_64 Policy RPM selinux-policy-3.14.1-30.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name <host> Platform Linux <host> 4.16.14-300.fc28.x86_64 #1 SMP Tue Jun 5 16:23:44 UTC 2018 x86_64 x86_64 Alert Count 6 First Seen 2018-06-02 11:27:56 AEST Last Seen 2018-06-07 09:29:42 AEST Local ID afa11844-33ab-4208-ae42-b455401dbcdd Raw Audit Messages type=AVC msg=audit(1528327782.378:180): avc: denied { write } for pid=791 comm="sssd_be" name="cert9.db" dev="dm-0" ino=1552 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0 Hash: sssd_be,sssd_t,cert_t,file,write
(In reply to Bojan Smojver from comment #0) > Description of problem: > SELinux denials in the audit log. > > Version-Release number of selected component (if applicable): > selinux-policy-targeted-3.14.1-24.fc28.noarch > > How reproducible: > Always. > > Steps to Reproduce: > 1. Run sssd with AD backend. > > Actual results: > SELinux denials. > > Expected results: > Should be none? > > Additional info: > > require { > type sssd_t; > type cert_t; > class file write; > } > > #============= sssd_t ============== > allow sssd_t cert_t:file write; I would recommend you to convert certificates from nss db to PEM certificate. openldap in fedora 29 will not support nss db anyway. So it will be better to prepare soon. Adding openldap maintain to CC to confirm/correct previous statement.
https://fedoraproject.org/wiki/Releases/29/ChangeSet#OpenLDAP:_Drop_MozNSS_Compatibility_Layer
Maybe I missed something in the config somewhere. I'll have a look.
Yeah, I had that old setting in sssd.conf.
The issue here has been already noticed in bug 1533960 (sorry it's currently internal only) which is in fact a bug in NSS being tracked here: https://bugzilla.mozilla.org/show_bug.cgi?id=1449169 Anyway, as Lukas suggested, go with PEM configuration. NSS-specific support is indeed already removed in F29 (current master).