Bug 1640255 - SELinux is preventing sss_cache from 'write' accesses on the file config.ldb.
Summary: SELinux is preventing sss_cache from 'write' accesses on the file config.ldb.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:225824ead181aa5132282baf70f...
: 1640254 1644039 1648634 1648655 1649305 1653260 1655303 1655777 1656307 1656985 1657038 (view as bug list)
Depends On:
Blocks: 1654592
TreeView+ depends on / blocked
 
Reported: 2018-10-17 16:34 UTC by Mikhail
Modified: 2019-04-29 09:18 UTC (History)
31 users (show)

Fixed In Version: selinux-policy-3.14.1-50.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-21 05:52:30 UTC


Attachments (Terms of Use)
AVC messages caused by sss_cache (9.78 KB, text/x-vhdl)
2018-11-10 18:42 UTC, Lukas Slebodnik
no flags Details

Description Mikhail 2018-10-17 16:34:30 UTC
Description of problem:
SELinux is preventing sss_cache from 'write' accesses on the file config.ldb.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sss_cache should be allowed write access on the config.ldb file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sss_cache' --raw | audit2allow -M my-ssscache
# semodule -X 300 -i my-ssscache.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c102
                              3
Target Context                system_u:object_r:sssd_var_lib_t:s0
Target Objects                config.ldb [ file ]
Source                        sss_cache
Source Path                   sss_cache
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-8.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.19.0-0.rc7.git4.1.fc30.x86_64 #1
                              SMP Fri Oct 12 14:14:52 UTC 2018 x86_64 x86_64
Alert Count                   2
First Seen                    2018-10-17 07:54:19 +05
Last Seen                     2018-10-17 07:54:19 +05
Local ID                      8c701bd9-8cb8-4cf3-b03e-0e6e1c28f30d

Raw Audit Messages
type=AVC msg=audit(1539744859.216:821): avc:  denied  { write } for  pid=26470 comm="sss_cache" name="config.ldb" dev="nvme0n1p2" ino=2006634 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0


Hash: sss_cache,groupadd_t,sssd_var_lib_t,file,write

Version-Release number of selected component:
selinux-policy-3.14.3-8.fc30.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.19.0-0.rc7.git4.1.fc30.x86_64
type:           libreport

Comment 1 Lukas Slebodnik 2018-11-10 18:39:14 UTC
It happens when some package add/modify group in rpm scriptlets.
Which is quite often.

It is caused by new feature in shadow-utils
https://src.fedoraproject.org/rpms/shadow-utils/blob/f28/f/shadow-4.6-sssd-flush.patch

It calls sss_cache to invalidate entries in sssd cache.
sss_cache do many things and they shoudl eb allowed to work properly.

simple reproducer:
* dnf install -y nfs-utils sssd-common
* systemctl start sssd
* runcon -t groupadd_t -- /usr/sbin/groupmod -g 29 rpcuser
* systemctl stop sssd
* runcon -t groupadd_t -- /usr/sbin/groupmod -g 29 rpcuser

And the change is also in f28 updates-testing.

Comment 2 Lukas Slebodnik 2018-11-10 18:42:28 UTC
Created attachment 1504123 [details]
AVC messages caused by sss_cache

require {
        type sssd_t;
        type groupadd_t;
        type sssd_var_lib_t;
        class file map;
        class process signal;
}

#============= groupadd_t ==============
allow groupadd_t sssd_t:process signal;

allow groupadd_t sssd_var_lib_t:file map;
sssd_manage_lib_files(groupadd_t)
sssd_manage_public_files(groupadd_t)
sssd_read_pid_files(groupadd_t)

Comment 3 Lukas Slebodnik 2018-11-10 18:43:47 UTC
And the similar should be allowed for useradd_t BZ1640255

Lukas,
Is this info sufficient?

Comment 4 Lukas Vrabec 2018-11-12 19:53:09 UTC
Yes, thanks. 

commit f5bce4f06c055d1c48df1b8bcb5e5163b60c5045 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Mon Nov 12 14:52:12 2018 -0500

    Allow useradd_t and groupadd_t domains to access sssd files because of the new feature in shadow-utils
    
    https://src.fedoraproject.org/rpms/shadow-utils/blob/f28/f/shadow-4.6-sssd-flush.patch
    
    BZ(1640255)

Comment 5 Lukas Slebodnik 2018-11-13 08:29:00 UTC
*** Bug 1648655 has been marked as a duplicate of this bug. ***

Comment 6 Lukas Slebodnik 2018-11-13 08:29:03 UTC
*** Bug 1648634 has been marked as a duplicate of this bug. ***

Comment 7 Lukas Slebodnik 2018-11-13 08:29:06 UTC
*** Bug 1644039 has been marked as a duplicate of this bug. ***

Comment 8 Lukas Slebodnik 2018-11-13 08:29:25 UTC
*** Bug 1640254 has been marked as a duplicate of this bug. ***

Comment 9 Jan Pazdziora 2018-12-04 12:32:56 UTC
What is the plan of actually shipping the fix? We are still getting bitten by this issue in automated tests ...

Comment 10 Jan Pazdziora 2018-12-04 12:59:53 UTC
In fact, it seems that now Fedora 29 started to fail as well where it was not failing two days ago. Would you like separate bugzilla for Fedora 29 or will you be able to release the fix for both supported Fedora versions via this bugzilla?

Comment 11 Michael Mráka 2018-12-04 14:46:47 UTC
Same here - our automated tests started to fail. Any ETA for the fix?

Comment 12 manoloruiz 2018-12-04 21:32:27 UTC
Description of problem:
SELinux está negando a sss_cache de write el acceso a archivo config.ldb.

Complemento: catchall
 SELinux impidió el acceso solicitado por sss_cache. No se esperaba que este
acceso fuera solicitado por sss_cache, y podría indicar un intento de ataque.
También es posible que la versión específica o la configuración de la aplicación
esté provocando esta necesidad de acceso adicional.

Si cree que de manera predeterminada se debería permitir a sss_cache el acceso write sobre  config.ldb file.     
Debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Permita el acceso temporalmente ejecutando:
# ausearch -c 'sss_cache' --raw | audit2allow -M mi-ssscache
# semodule -X 300 -i mi-ssscache.pp

Version-Release number of selected component:
selinux-policy-3.14.2-42.fc29.noarch

Additional info:
reporter:       libreport-2.9.6
hashmarkername: setroubleshoot
kernel:         4.19.5-300.fc29.x86_64
type:           libreport

Comment 13 Lukas Slebodnik 2018-12-07 13:19:09 UTC
*** Bug 1657038 has been marked as a duplicate of this bug. ***

Comment 14 Lukas Slebodnik 2018-12-07 13:20:47 UTC
*** Bug 1656985 has been marked as a duplicate of this bug. ***

Comment 15 Lukas Slebodnik 2018-12-07 13:20:57 UTC
*** Bug 1656307 has been marked as a duplicate of this bug. ***

Comment 16 Lukas Slebodnik 2018-12-07 13:21:28 UTC
*** Bug 1655777 has been marked as a duplicate of this bug. ***

Comment 17 Lukas Slebodnik 2018-12-07 13:21:43 UTC
*** Bug 1655303 has been marked as a duplicate of this bug. ***

Comment 18 Lukas Slebodnik 2018-12-07 13:22:19 UTC
*** Bug 1649305 has been marked as a duplicate of this bug. ***

Comment 19 Lukas Slebodnik 2018-12-07 13:22:38 UTC
*** Bug 1653260 has been marked as a duplicate of this bug. ***

Comment 20 Fedora Update System 2018-12-07 15:43:56 UTC
selinux-policy-3.14.1-50.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-be8834ced4

Comment 21 Tomáš Hozza 🤓 2018-12-11 09:23:22 UTC
Description of problem:
I installed wireshark-qt using dnf.

Version-Release number of selected component:
selinux-policy-3.14.1-48.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.19.4-200.fc28.x86_64
type:           libreport

Comment 22 Vladimir Zhelezov 2018-12-11 12:05:27 UTC
Duplicate, or connected: bug 1658015.

I see that those reports are against F28, but situation is the same in F29. Is there a need for a separate report for Fedora 29?

Comment 23 Jan Pazdziora 2018-12-11 13:07:35 UTC
I've noted the regression in Fedora 29 in comment 10. My hope was that the fix won't go to Fedora 28 before it is also available in Fedora 29.

Comment 24 Vladimir Zhelezov 2018-12-13 18:58:32 UTC
Thx, no more AVC denials in Fedora 29 with selinux-policy-3.14.2-44.fc29

Comment 25 aten 2018-12-14 20:28:03 UTC
Description of problem:
happenede at system restart right after an update

Version-Release number of selected component:
selinux-policy-3.14.1-48.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.19.8-200.fc28.x86_64
type:           libreport

Comment 26 raynaud 2018-12-15 17:06:03 UTC
Description of problem:
sudo dnf upgrade

Version-Release number of selected component:
selinux-policy-3.14.2-42.fc29.noarch
selinux-policy-3.14.2-44.fc29.noarch

Additional info:
reporter:       libreport-2.9.7
hashmarkername: setroubleshoot
kernel:         4.19.6-300.fc29.x86_64
type:           libreport

Comment 27 Fedora Update System 2018-12-21 05:52:30 UTC
selinux-policy-3.14.1-50.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 28 gareth 2019-01-03 23:20:02 UTC
FYI,

Still seeing this particular issue when using chage on Fedora 28 with selinux-policy-3.14.1-50.fc28 installed.

[root@xxxxx tests]# chage -d 0 testuser
(Thu Jan  3 23:18:14:015897 2019) [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb]
Could not open available domains
chage: sss_cache exited with status 5
chage: Failed to flush the sssd cache.

Comment 29 Justin Coffman 2019-01-14 23:48:01 UTC
Description of problem:
Occurred during 'dnf update' of freshly-installed F29 Cinnamon workstation.

Version-Release number of selected component:
selinux-policy-3.14.2-40.fc29.noarch

Additional info:
reporter:       libreport-2.9.7
hashmarkername: setroubleshoot
kernel:         4.19.13-300.fc29.x86_64
type:           libreport

Comment 30 Bradley Phillips 2019-01-21 21:39:36 UTC
Description of problem:
Was installing all of the updates through dnfdragra and the error was thrown:

ELinux is preventing sss_cache from write access on the file config.ldb.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sss_cache should be allowed write access on the config.ldb file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sss_cache' --raw | audit2allow -M my-ssscache
# semodule -X 300 -i my-ssscache.pp

Additional Information:
Source Context                system_u:system_r:useradd_t:s0
Target Context                system_u:object_r:sssd_var_lib_t:s0
Target Objects                config.ldb [ file ]
Source                        sss_cache
Source Path                   sss_cache
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-40.fc29.noarch selinux-
                              policy-3.14.2-47.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux localhost.localdomain
                              4.18.16-300.fc29.x86_64 #1 SMP Sat Oct 20 23:24:08
                              UTC 2018 x86_64 x86_64
Alert Count                   2
First Seen                    2019-01-21 15:28:57 CST
Last Seen                     2019-01-21 15:28:57 CST
Local ID                      fbbf0ee7-b265-4d5b-a6cb-81006cfb5b7e

Raw Audit Messages
type=AVC msg=audit(1548106137.282:262): avc:  denied  { write } for  pid=3232 comm="sss_cache" name="config.ldb" dev="dm-0" ino=561871 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file permissive=0


Hash: sss_cache,useradd_t,sssd_var_lib_t,file,write

I am running Fedora29 Cinnamon using VirtualBox.

Version-Release number of selected component:
selinux-policy-3.14.2-40.fc29.noarch
selinux-policy-3.14.2-47.fc29.noarch

Additional info:
reporter:       libreport-2.9.7
hashmarkername: setroubleshoot
kernel:         4.18.16-300.fc29.x86_64
type:           libreport

Comment 31 Jonathan Haas 2019-03-04 11:35:39 UTC
Description of problem:
Installing dnf upgrades

Version-Release number of selected component:
selinux-policy-3.14.2-40.fc29.noarch
selinux-policy-3.14.2-49.fc29.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         4.18.16-300.fc29.x86_64
type:           libreport

Comment 32 katch922 2019-03-07 16:13:27 UTC
Description of problem:
Fresh install
dnf update
dnf upgrade

Version-Release number of selected component:
selinux-policy-3.14.2-40.fc29.noarch
selinux-policy-3.14.2-49.fc29.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         4.18.16-300.fc29.x86_64
type:           libreport


Note You need to log in before you can comment on or make changes to this bug.