Description of problem: Selinux reports access denied to /var/lib/sss for cjdroute Version-Release number of selected component (if applicable): cjdns-20.2-2 How reproducible: At cjdns startup Steps to Reproduce: 1. install cjdns cjdns-selinux 2. systemctl start cjdns 3. Actual results: type=AVC msg=audit(1528496988.246:146): avc: denied { search } for pid=1035 comm="cjdroute" name="sss" dev="dm-0" ino=795620 scontext=system_u:system_r:cjdns_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 Expected results: No selinux logs Additional info: There is no need for cjdroute to access /var/lib/sss, and indeed cjdroute runs normally despite the denial. If I could find where this access is occurring, I could patch it out of the upstream code.
Still present in f29
*** Bug 1708081 has been marked as a duplicate of this bug. ***
Ok, the culprit is getpwnam(). Around Fedora 28, this changed to dynamically load nss libraries, and do lots of extraneous stuff. There are two ways that we could go, yea three that stop this annoying alert: 1) Ok, fine: let cjdroute have read access to all that critical security stuff ... just to lookup uid for cjdns. 2) Tell users to turn off sss for passwd in /etc/nsswitch.conf 3) Implement a plain vanilla getpwnam() that just look in /etc/passwd Workaround for present: remove sss from passwd in /etc/nsswitch.con
Another idea, register cjdns uid with Fedora Project, and hardwire uid. But that could be a Bad Idea, because customized systems might not use the official uid. Yet another idea, support numerid user in /etc/cjdroute.conf
*** Bug 1711506 has been marked as a duplicate of this bug. ***
*** Bug 1713855 has been marked as a duplicate of this bug. ***
After a lot of thinking, I've decided the best approach is to suppress logging of the sss denials. I need to research how to do that.
FEDORA-2019-93a6eb4dbc has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-93a6eb4dbc
FEDORA-2019-1fa7b2f8bc has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-1fa7b2f8bc
I don't think this is the end of this issue. There are a lot of problems associated with dontaudit - some new functionality that actually depends on sssd doesn't work, and it's hard to figure out why.
cjdns-20.3-7.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-93a6eb4dbc
cjdns-20.3-7.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-1fa7b2f8bc
cjdns-20.3-7.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
cjdns-20.3-7.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.