Bug 1827466 - SELinux is preventing sssd from 'read' access on the directory systemd
Summary: SELinux is preventing sssd from 'read' access on the directory systemd
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 32
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-24 02:22 UTC by Anthony Messina
Modified: 2020-11-03 23:48 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1811556 medium CLOSED SELinux is preventing sssd from 'read' accesses on the directory resolve. 2020-10-14 00:28:05 UTC

Description Anthony Messina 2020-04-24 02:22:57 UTC
Using selinux-policy-targeted-3.14.4-50.fc31.noarch

The inode points to "/run/systemd"

AVC avc:  denied  { read } for  pid=781 comm="sssd" name="systemd" dev="tmpfs" ino=15223 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1

This seems related to https://bugzilla.redhat.com/show_bug.cgi?id=1811556

Comment 1 Zdenek Pytela 2020-05-07 16:20:52 UTC
Anthony,

Apart from the denial, did you also see any functionality issue?

I also see the system was in permissive mode, no additional denial was audited?

Comment 2 Anthony Messina 2020-05-07 18:06:15 UTC
(In reply to Zdenek Pytela from comment #1)
> Anthony,
> 
> Apart from the denial, did you also see any functionality issue?
> 
> I also see the system was in permissive mode, no additional denial was
> audited?

Hi Zdenek.  sssd does continue to start in enforcing mode, but I am not certain if there is an effective functionality decrease.  No additional AVCs are generated in permissive or enforcing mode.

Comment 3 Matt Kinni 2020-09-13 05:47:16 UTC
Confirmed still happening as of selinux-policy-targeted-3.14.5-43.fc32.noarch, but everything appears to be in working order besides the nuisance avc denial in seapplet

Comment 4 Ben Cotton 2020-11-03 17:27:19 UTC
This message is a reminder that Fedora 31 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 31 on 2020-11-24.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '31'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 31 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.


Note You need to log in before you can comment on or make changes to this bug.