Description of problem: SELinux is preventing sss_cache from 'write' accesses on the file config.ldb. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sss_cache should be allowed write access on the config.ldb file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sss_cache' --raw | audit2allow -M my-ssscache # semodule -X 300 -i my-ssscache.pp Additional Information: Source Context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c102 3 Target Context system_u:object_r:sssd_var_lib_t:s0 Target Objects config.ldb [ file ] Source sss_cache Source Path sss_cache Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.3-8.fc30.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.19.0-0.rc7.git4.1.fc30.x86_64 #1 SMP Fri Oct 12 14:14:52 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-10-17 07:54:19 +05 Last Seen 2018-10-17 07:54:19 +05 Local ID 8c701bd9-8cb8-4cf3-b03e-0e6e1c28f30d Raw Audit Messages type=AVC msg=audit(1539744859.216:821): avc: denied { write } for pid=26470 comm="sss_cache" name="config.ldb" dev="nvme0n1p2" ino=2006634 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0 Hash: sss_cache,groupadd_t,sssd_var_lib_t,file,write Version-Release number of selected component: selinux-policy-3.14.3-8.fc30.noarch Additional info: component: selinux-policy reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.19.0-0.rc7.git4.1.fc30.x86_64 type: libreport
It happens when some package add/modify group in rpm scriptlets. Which is quite often. It is caused by new feature in shadow-utils https://src.fedoraproject.org/rpms/shadow-utils/blob/f28/f/shadow-4.6-sssd-flush.patch It calls sss_cache to invalidate entries in sssd cache. sss_cache do many things and they shoudl eb allowed to work properly. simple reproducer: * dnf install -y nfs-utils sssd-common * systemctl start sssd * runcon -t groupadd_t -- /usr/sbin/groupmod -g 29 rpcuser * systemctl stop sssd * runcon -t groupadd_t -- /usr/sbin/groupmod -g 29 rpcuser And the change is also in f28 updates-testing.
Created attachment 1504123 [details] AVC messages caused by sss_cache require { type sssd_t; type groupadd_t; type sssd_var_lib_t; class file map; class process signal; } #============= groupadd_t ============== allow groupadd_t sssd_t:process signal; allow groupadd_t sssd_var_lib_t:file map; sssd_manage_lib_files(groupadd_t) sssd_manage_public_files(groupadd_t) sssd_read_pid_files(groupadd_t)
And the similar should be allowed for useradd_t BZ1640255 Lukas, Is this info sufficient?
Yes, thanks. commit f5bce4f06c055d1c48df1b8bcb5e5163b60c5045 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Mon Nov 12 14:52:12 2018 -0500 Allow useradd_t and groupadd_t domains to access sssd files because of the new feature in shadow-utils https://src.fedoraproject.org/rpms/shadow-utils/blob/f28/f/shadow-4.6-sssd-flush.patch BZ(1640255)
*** Bug 1648655 has been marked as a duplicate of this bug. ***
*** Bug 1648634 has been marked as a duplicate of this bug. ***
*** Bug 1644039 has been marked as a duplicate of this bug. ***
*** Bug 1640254 has been marked as a duplicate of this bug. ***
What is the plan of actually shipping the fix? We are still getting bitten by this issue in automated tests ...
In fact, it seems that now Fedora 29 started to fail as well where it was not failing two days ago. Would you like separate bugzilla for Fedora 29 or will you be able to release the fix for both supported Fedora versions via this bugzilla?
Same here - our automated tests started to fail. Any ETA for the fix?
Description of problem: SELinux está negando a sss_cache de write el acceso a archivo config.ldb. Complemento: catchall SELinux impidió el acceso solicitado por sss_cache. No se esperaba que este acceso fuera solicitado por sss_cache, y podría indicar un intento de ataque. También es posible que la versión específica o la configuración de la aplicación esté provocando esta necesidad de acceso adicional. Si cree que de manera predeterminada se debería permitir a sss_cache el acceso write sobre config.ldb file. Debería reportar esto como un error. Puede generar un módulo de política local para permitir este acceso. Permita el acceso temporalmente ejecutando: # ausearch -c 'sss_cache' --raw | audit2allow -M mi-ssscache # semodule -X 300 -i mi-ssscache.pp Version-Release number of selected component: selinux-policy-3.14.2-42.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.19.5-300.fc29.x86_64 type: libreport
*** Bug 1657038 has been marked as a duplicate of this bug. ***
*** Bug 1656985 has been marked as a duplicate of this bug. ***
*** Bug 1656307 has been marked as a duplicate of this bug. ***
*** Bug 1655777 has been marked as a duplicate of this bug. ***
*** Bug 1655303 has been marked as a duplicate of this bug. ***
*** Bug 1649305 has been marked as a duplicate of this bug. ***
*** Bug 1653260 has been marked as a duplicate of this bug. ***
selinux-policy-3.14.1-50.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-be8834ced4
Description of problem: I installed wireshark-qt using dnf. Version-Release number of selected component: selinux-policy-3.14.1-48.fc28.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.19.4-200.fc28.x86_64 type: libreport
Duplicate, or connected: bug 1658015. I see that those reports are against F28, but situation is the same in F29. Is there a need for a separate report for Fedora 29?
I've noted the regression in Fedora 29 in comment 10. My hope was that the fix won't go to Fedora 28 before it is also available in Fedora 29.
Thx, no more AVC denials in Fedora 29 with selinux-policy-3.14.2-44.fc29
Description of problem: happenede at system restart right after an update Version-Release number of selected component: selinux-policy-3.14.1-48.fc28.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.19.8-200.fc28.x86_64 type: libreport
Description of problem: sudo dnf upgrade Version-Release number of selected component: selinux-policy-3.14.2-42.fc29.noarch selinux-policy-3.14.2-44.fc29.noarch Additional info: reporter: libreport-2.9.7 hashmarkername: setroubleshoot kernel: 4.19.6-300.fc29.x86_64 type: libreport
selinux-policy-3.14.1-50.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
FYI, Still seeing this particular issue when using chage on Fedora 28 with selinux-policy-3.14.1-50.fc28 installed. [root@xxxxx tests]# chage -d 0 testuser (Thu Jan 3 23:18:14:015897 2019) [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb] Could not open available domains chage: sss_cache exited with status 5 chage: Failed to flush the sssd cache.
Description of problem: Occurred during 'dnf update' of freshly-installed F29 Cinnamon workstation. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch Additional info: reporter: libreport-2.9.7 hashmarkername: setroubleshoot kernel: 4.19.13-300.fc29.x86_64 type: libreport
Description of problem: Was installing all of the updates through dnfdragra and the error was thrown: ELinux is preventing sss_cache from write access on the file config.ldb. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sss_cache should be allowed write access on the config.ldb file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sss_cache' --raw | audit2allow -M my-ssscache # semodule -X 300 -i my-ssscache.pp Additional Information: Source Context system_u:system_r:useradd_t:s0 Target Context system_u:object_r:sssd_var_lib_t:s0 Target Objects config.ldb [ file ] Source sss_cache Source Path sss_cache Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-40.fc29.noarch selinux- policy-3.14.2-47.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux localhost.localdomain 4.18.16-300.fc29.x86_64 #1 SMP Sat Oct 20 23:24:08 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2019-01-21 15:28:57 CST Last Seen 2019-01-21 15:28:57 CST Local ID fbbf0ee7-b265-4d5b-a6cb-81006cfb5b7e Raw Audit Messages type=AVC msg=audit(1548106137.282:262): avc: denied { write } for pid=3232 comm="sss_cache" name="config.ldb" dev="dm-0" ino=561871 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0 Hash: sss_cache,useradd_t,sssd_var_lib_t,file,write I am running Fedora29 Cinnamon using VirtualBox. Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch selinux-policy-3.14.2-47.fc29.noarch Additional info: reporter: libreport-2.9.7 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Installing dnf upgrades Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch selinux-policy-3.14.2-49.fc29.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport
Description of problem: Fresh install dnf update dnf upgrade Version-Release number of selected component: selinux-policy-3.14.2-40.fc29.noarch selinux-policy-3.14.2-49.fc29.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 4.18.16-300.fc29.x86_64 type: libreport