Bug 1827466 - SELinux is preventing sssd from 'read' access on the directory systemd
Summary: SELinux is preventing sssd from 'read' access on the directory systemd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 32
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1907574 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-24 02:22 UTC by Anthony Messina
Modified: 2021-01-19 01:51 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.14.5-46.fc32
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-01-19 01:51:39 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1811556 0 medium CLOSED SELinux is preventing sssd from 'read' accesses on the directory resolve. 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1903335 0 high CLOSED avc: denied { read } comm="sssd" name="systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:sssd_t:s0 tcontext=system... 2021-06-18 16:35:34 UTC

Description Anthony Messina 2020-04-24 02:22:57 UTC
Using selinux-policy-targeted-3.14.4-50.fc31.noarch

The inode points to "/run/systemd"

AVC avc:  denied  { read } for  pid=781 comm="sssd" name="systemd" dev="tmpfs" ino=15223 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1

This seems related to https://bugzilla.redhat.com/show_bug.cgi?id=1811556

Comment 1 Zdenek Pytela 2020-05-07 16:20:52 UTC
Anthony,

Apart from the denial, did you also see any functionality issue?

I also see the system was in permissive mode, no additional denial was audited?

Comment 2 Anthony Messina 2020-05-07 18:06:15 UTC
(In reply to Zdenek Pytela from comment #1)
> Anthony,
> 
> Apart from the denial, did you also see any functionality issue?
> 
> I also see the system was in permissive mode, no additional denial was
> audited?

Hi Zdenek.  sssd does continue to start in enforcing mode, but I am not certain if there is an effective functionality decrease.  No additional AVCs are generated in permissive or enforcing mode.

Comment 3 Matt Kinni 2020-09-13 05:47:16 UTC
Confirmed still happening as of selinux-policy-targeted-3.14.5-43.fc32.noarch, but everything appears to be in working order besides the nuisance avc denial in seapplet

Comment 4 Ben Cotton 2020-11-03 17:27:19 UTC
This message is a reminder that Fedora 31 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 31 on 2020-11-24.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '31'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 31 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 5 Zdenek Pytela 2020-12-15 21:16:41 UTC
*** Bug 1907574 has been marked as a duplicate of this bug. ***

Comment 6 Zdenek Pytela 2021-01-11 17:19:52 UTC
Needs backporting:
commit 7e0a0dae48a7aa066bfd76e26e99f04b1d8170dc
Author: Zdenek Pytela <zpytela>
Date:   Tue Dec 15 23:18:22 2020 +0100

    Allow sssd read /run/systemd directory

    The nsswitch_domain is already allowed search /run/systemd, sssd however
    requires the read permission, granted by the list_dir_perms pattern.

    The reason is that sssd is using an asynchronous resolver library
    (c-ares) and monitors /etc/resolv.conf for changes. If /etc/resolv.conf
    is replaced with a symlink, SSSD tries to follow it to set an inotify
    watch to be aware of the target file changes. The resolv.conf file
    changes can be made by a user, NetworkManager, or systemd-resolved.

    Resolves: rhbz#1903335

Comment 8 Fedora Update System 2021-01-13 20:01:17 UTC
FEDORA-2021-3036e7bf00 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-3036e7bf00

Comment 9 Fedora Update System 2021-01-14 02:22:41 UTC
FEDORA-2021-3036e7bf00 has been pushed to the Fedora 32 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-3036e7bf00`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-3036e7bf00

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2021-01-19 01:51:39 UTC
FEDORA-2021-3036e7bf00 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.