2190385 – selinux is preventing idmapd to access sss and userdb

Bug 2190385 - selinux is preventing idmapd to access sss and userdb

Summary: selinux is preventing idmapd to access sss and userdb

Keywords:
Status:	CLOSED DUPLICATE of bug 2180611
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	38
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-04-28 09:01 UTC by christof.schulze
Modified:	2023-05-10 13:21 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-05-10 13:21:36 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description christof.schulze 2023-04-28 09:01:20 UTC

User and Group on nfs-mounts don't show (only nobody). Disabling selinux helps.



type=AVC msg=audit(1682593788.415:45): avc:  denied  { name_bind } for  pid=633 comm="rpcbind" src=61459 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=1
type=AVC msg=audit(1682593835.275:157): avc:  denied  { search } for  pid=1191 comm="nfsidmap" name="sss" dev="sda1" ino=2490407 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1682593835.275:158): avc:  denied  { read } for  pid=1191 comm="nfsidmap" name="passwd" dev="sda1" ino=2490594 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1682593835.275:159): avc:  denied  { open } for  pid=1191 comm="nfsidmap" path="/var/lib/sss/mc/passwd" dev="sda1" ino=2490594 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1682593835.275:160): avc:  denied  { getattr } for  pid=1191 comm="nfsidmap" path="/var/lib/sss/mc/passwd" dev="sda1" ino=2490594 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1682593835.275:161): avc:  denied  { map } for  pid=1191 comm="nfsidmap" path="/var/lib/sss/mc/passwd" dev="sda1" ino=2490594 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1682593835.277:162): avc:  denied  { write } for  pid=1192 comm="nfsidmap" name="nss" dev="sda1" ino=2490577 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1682593835.277:163): avc:  denied  { connectto } for  pid=1192 comm="nfsidmap" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1682593844.040:186): avc:  denied  { search } for  pid=1242 comm="nfsidmap" name="sss" dev="sda1" ino=2490407 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1682593844.040:187): avc:  denied  { read } for  pid=1242 comm="nfsidmap" name="passwd" dev="sda1" ino=2490594 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1682593844.040:188): avc:  denied  { open } for  pid=1242 comm="nfsidmap" path="/var/lib/sss/mc/passwd" dev="sda1" ino=2490594 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1682593844.040:189): avc:  denied  { getattr } for  pid=1242 comm="nfsidmap" path="/var/lib/sss/mc/passwd" dev="sda1" ino=2490594 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1682593844.040:190): avc:  denied  { map } for  pid=1242 comm="nfsidmap" path="/var/lib/sss/mc/passwd" dev="sda1" ino=2490594 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1



Reproducible: Always

Steps to Reproduce:
1. Freshly install (or update from F37/36) Fedora 38
2. Configure sssd to use IPA-Server
3. Configure automount or mount directly
Actual Results:  
User and group from sssd are not showing

Expected Results:  
User and group from ssd are shown correctly.

Workaround:
```
module my-nfsidmap 1.0;

require {
	type nfsidmap_t;
	type systemd_userdbd_runtime_t;
	type sssd_var_lib_t;
	type sssd_public_t;
	type sssd_t;
	class dir { read search };
	class sock_file write;
	class file { getattr map open read };
	class unix_stream_socket connectto;
}

#============= nfsidmap_t ==============
allow nfsidmap_t sssd_public_t:file { getattr open read };
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow nfsidmap_t sssd_public_t:file map;
allow nfsidmap_t sssd_t:unix_stream_socket connectto;
allow nfsidmap_t sssd_var_lib_t:sock_file write;
allow nfsidmap_t sssd_var_lib_t:dir search;
allow nfsidmap_t systemd_userdbd_runtime_t:dir read;

```

Comment 1 Anthony Messina 2023-05-10 00:39:18 UTC

For additional information, with the above policy applied on F38, I still see:

type=AVC msg=audit(1683678798.554:1347): avc:  denied  { read } for  pid=59235 comm="nfsidmap" name="io.systemd.DropIn" dev="tmpfs" ino=651 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=lnk_file permissive=0

# ll -Z /run/systemd/userdb
total 0
lrwxrwxrwx. 1 root root system_u:object_r:systemd_userdbd_runtime_t:s0 42 May  8 16:58 io.systemd.DropIn -> /run/systemd/userdb/io.systemd.Multiplexer
srw-rw-rw-. 1 root root system_u:object_r:systemd_userdbd_runtime_t:s0  0 May  8 16:58 io.systemd.DynamicUser
srw-rw-rw-. 1 root root system_u:object_r:systemd_userdbd_runtime_t:s0  0 May  8 16:59 io.systemd.Home
srw-rw-rw-. 1 root root system_u:object_r:systemd_userdbd_runtime_t:s0  0 May  9 19:07 io.systemd.Machine
srw-rw-rw-. 1 root root system_u:object_r:systemd_userdbd_runtime_t:s0  0 May  8 16:58 io.systemd.Multiplexer
lrwxrwxrwx. 1 root root system_u:object_r:systemd_userdbd_runtime_t:s0 42 May  8 16:58 io.systemd.NameServiceSwitch -> /run/systemd/userdb/io.systemd.Multiplexer

Comment 2 Anthony Messina 2023-05-10 00:42:30 UTC

The following is what's recommended (when things are in enforcing mode)

# ausearch -m avc -ts recent | audit2allow


#============= nfsidmap_t ==============
allow nfsidmap_t systemd_userdbd_runtime_t:lnk_file read;
allow nfsidmap_t systemd_userdbd_runtime_t:sock_file write;

Comment 3 Zdenek Pytela 2023-05-10 13:21:36 UTC


*** This bug has been marked as a duplicate of bug 2180611 ***

Note You need to log in before you can comment on or make changes to this bug.