Description of problem: I booted the Fedora 38 live image Fedora-KDE-Live-x86_64-38-20230322.n.0.iso in a GNOME Boxes QEMU/KVM VM in a Fedora 38 installation. I opened System Settings in Plasma 5.27.3 on Wayland in the VM. I selected Users in the System Settings menu. I created two new users of the standard account type with passwords. The journal showed denials of sss_cache reading a pipe or fifo_file from the pipefs device. I reproduced this problem in the Fedora 38 KDE Plasma installation in the same way. The journal showed the following at the time of the denials. Mar 22 16:23:53 audit[8610]: USER_AUTH pid=8610 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_usertype,pam_localuser,pam_unix acct="matt" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success' Mar 22 16:23:53 audit[8610]: USER_ACCT pid=8610 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="matt" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success' Mar 22 16:23:53 polkitd[932]: Operator of unix-session:2 successfully authenticated as unix-user:matt to gain TEMPORARY authorization for action org.freedesktop.accounts.user-administration for system-bus-name::1.264 [/usr/bin/systemsettings] (owned by unix-user:matt) Mar 22 16:23:53 accounts-daemon[864]: request by system-bus-name::1.264 [/usr/bin/systemsettings pid:8570 uid:1000]: create user 'user3' Mar 22 16:23:53 useradd[8615]: new group: name=user3, GID=1002 Mar 22 16:23:53 useradd[8615]: new user: name=user3, UID=1002, GID=1002, home=/home/user3, shell=/bin/bash, from=none Mar 22 16:23:53 accounts-daemon[8638]: [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb] Mar 22 16:23:53 accounts-daemon[8638]: Could not open available domains Mar 22 16:23:53 useradd[8615]: useradd: sss_cache exited with status 5 Mar 22 16:23:53 useradd[8615]: useradd: Failed to flush the sssd cache. Mar 22 16:23:53 accounts-daemon[8641]: [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb] Mar 22 16:23:53 accounts-daemon[8641]: Could not open available domains Mar 22 16:23:53 useradd[8615]: useradd: sss_cache exited with status 5 Mar 22 16:23:53 useradd[8615]: useradd: Failed to flush the sssd cache. Mar 22 16:23:53 accounts-daemon[864]: request by system-bus-name::1.264 [/usr/bin/systemsettings pid:8570 uid:1000]: set password and hint of user 'user3' (1002) Mar 22 16:23:53 audit[8649]: AVC avc: denied { read } for pid=8649 comm="sss_cache" path="pipe:[291359]" dev="pipefs" ino=291359 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=fifo_file permissive=0 Mar 22 16:23:54 accounts-daemon[8649]: [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb] Mar 22 16:23:54 accounts-daemon[8649]: Could not open available domains Mar 22 16:23:54 chpasswd[8645]: chpasswd: sss_cache exited with status 5 Mar 22 16:23:54 chpasswd[8645]: chpasswd: Failed to flush the sssd cache. Mar 22 16:23:54 audit[8651]: AVC avc: denied { read } for pid=8651 comm="sss_cache" path="pipe:[291359]" dev="pipefs" ino=291359 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=fifo_file permissive=0 Mar 22 16:23:54 accounts-daemon[8651]: [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb] Mar 22 16:23:54 accounts-daemon[8651]: Could not open available domains Mar 22 16:23:54 chpasswd[8645]: chpasswd: sss_cache exited with status 5 Mar 22 16:23:54 chpasswd[8645]: chpasswd: Failed to flush the sssd cache. I'm reporting this problem from in the F38 installation which has SELinux enabled with the targeted policy selinux-policy-38.8-2.fc38.noarch in enforcing mode. SELinux is preventing sss_cache from 'read' accesses on the fifo_file fifo_file. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sss_cache should be allowed read access on the fifo_file fifo_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sss_cache' --raw | audit2allow -M my-ssscache # semodule -X 300 -i my-ssscache.pp Additional Information: Source Context system_u:system_r:sssd_t:s0 Target Context system_u:system_r:accountsd_t:s0 Target Objects fifo_file [ fifo_file ] Source sss_cache Source Path sss_cache Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.8-2.fc38.noarch Local Policy RPM selinux-policy-targeted-38.8-2.fc38.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.2.7-300.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Mar 17 16:02:49 UTC 2023 x86_64 Alert Count 2 First Seen 2023-03-22 16:23:53 EDT Last Seen 2023-03-22 16:23:54 EDT Local ID 2294d8b6-8f30-4721-88e3-53c6951ce268 Raw Audit Messages type=AVC msg=audit(1679516634.18:292): avc: denied { read } for pid=8651 comm="sss_cache" path="pipe:[291359]" dev="pipefs" ino=291359 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=fifo_file permissive=0 Hash: sss_cache,sssd_t,accountsd_t,fifo_file,read Version-Release number of selected component: selinux-policy-targeted-38.8-2.fc38.noarch Additional info: reporter: libreport-2.17.8 hashmarkername: setroubleshoot type: libreport kernel: 6.2.7-300.fc38.x86_64 component: selinux-policy package: selinux-policy-targeted-38.8-2.fc38.noarch reason: SELinux is preventing sss_cache from 'read' accesses on the fifo_file fifo_file. component: selinux-policy
Created attachment 1952929 [details] File: os_info
Created attachment 1952930 [details] File: description
Zdenek, this bug seems to block bug 2179591, which is currently proposed as a Fedora 38 Final blocker. If you can, please look at it soon, thanks.
Matt, Can you insert this local module to check if this is the only denial? # cat local_sssd_acct.cil (allow sssd_t accountsd_t (fifo_file (read))) # semodule -i local_sssd_acct.cil <reproduce> then # semodule -r local_sssd_acct
I inserted the local module local_sssd_acct.cil and created another user. No SELinux denials were shown. The other errors were still there in the journal like I reported, so there might be some problem with sss_cache other than the denial. I ran sudo setenforce 0 and created the user again. There weren't any denials but the other errors were there in the journal as before. Thanks.
Thank you for checking.
FEDORA-2023-624eb88729 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-624eb88729
(In reply to Fedora Update System from comment #7) > FEDORA-2023-624eb88729 has been submitted as an update to Fedora 38. > https://bodhi.fedoraproject.org/updates/FEDORA-2023-624eb88729 I don't see AVCs when this update is installed and new users get created in KDE.
FEDORA-2023-624eb88729 has been pushed to the Fedora 38 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-624eb88729 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-9e48ecef73 has been pushed to the Fedora 38 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-9e48ecef73 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-9e48ecef73 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.