Bug 2176235 - [sssd] uses watch on system_u:object_r:lib_t when setting up switch from nss-altfiles
Summary: [sssd] uses watch on system_u:object_r:lib_t when setting up switch from nss-...
Keywords:
Status: ASSIGNED
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 39
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-03-07 17:58 UTC by Pat Riehecky
Modified: 2023-08-16 07:11 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Pat Riehecky 2023-03-07 17:58:16 UTC 
Description of problem:
When using sssd's files provider, but storing the files in the same location that nss-altfiles uses (/usr/lib) sssd needs the ability to set an inotify watch on /usr/lib

Version-Release number of selected component (if applicable):
selinux-policy-37.19-1.fc37.noarch

How reproducible:
100%

Steps to Reproduce:
1. deploy passwd/group for use with nss-altfiles
2. configure sssd to use the same files from nss-altfiles
3. start sssd
4. selinux denial

Actual results:
grep  avc /var/log/audit/audit.log |grep sssd_be | audit2why
type=AVC msg=audit(1678211275.874:251916): avc:  denied  { watch } for  pid=982783 comm="sssd_be" path="/usr/lib" dev="dm-0" ino=33554564 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1678211275.891:251917): avc:  denied  { watch } for  pid=982784 comm="sssd_be" path="/usr/lib" dev="dm-0" ino=33554564 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1678211277.914:251925): avc:  denied  { watch } for  pid=982788 comm="sssd_be" path="/usr/lib" dev="dm-0" ino=33554564 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1678211281.935:251933): avc:  denied  { watch } for  pid=982819 comm="sssd_be" path="/usr/lib" dev="dm-0" ino=33554564 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1678211374.648:251959): avc:  denied  { watch } for  pid=983290 comm="sssd_be" path="/usr/lib" dev="dm-0" ino=33554564 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1678211374.666:251960): avc:  denied  { watch } for  pid=983291 comm="sssd_be" path="/usr/lib" dev="dm-0" ino=33554564 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1678211376.689:251968): avc:  denied  { watch } for  pid=983292 comm="sssd_be" path="/usr/lib" dev="dm-0" ino=33554564 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1678211380.709:251976): avc:  denied  { watch } for  pid=983321 comm="sssd_be" path="/usr/lib" dev="dm-0" ino=33554564 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1678211392.851:252005): avc:  denied  { watch } for  pid=983334 comm="sssd_be" path="/usr/lib" dev="dm-0" ino=33554564 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=1

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.


Expected results:

Permit watch on system_u:object_r:lib_t:s0

Additional info:

SSSD folks suggest using nss-altfiles as a proxy source. For folks looking to test this and perform a phased migration this policy tweak seems necessary.
Comment 1 Fedora Release Engineering 2023-08-16 07:11:13 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.
Note You need to log in before you can comment on or make changes to this bug.