2192241 – SELinux is preventing nfsidmap from 'search' accesses on the directory /var/lib/sss and 'read' access on userdb

Bug 2192241 - SELinux is preventing nfsidmap from 'search' accesses on the directory /var/lib/sss and 'read' access on userdb

Summary: SELinux is preventing nfsidmap from 'search' accesses on the directory /var/l...

Keywords:
Status:	CLOSED DUPLICATE of bug 2180611
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	38
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:b76333c32a52313a9bc306624de...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-04-30 19:51 UTC by Brendan
Modified:	2023-05-02 17:22 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-05-02 17:22:14 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: os_info (734 bytes, text/plain) 2023-04-30 19:51 UTC, Brendan	no flags	Details
File: description (1.92 KB, text/plain) 2023-04-30 19:51 UTC, Brendan	no flags	Details
View All

Description Brendan 2023-04-30 19:51:27 UTC

Description of problem:
Running FreeIPA (4.9.10) on my network connecting to an NFS 4.2 share on Rocky Linux v8.7 using Kerberos (krb5i/krb5p) encryption.
The share is mounted using autofs
When accessing permissions for files and folders, they appear to either belong to root or nobody.

/etc/exports on file server:
/NAS_Shares                                     *(ro,sec=sys:krb5i:krb5p,fsid=0)
/NAS_Shares/Storage                             *(rw,sec=krb5i:krb5p)

/etc/auto.misc on local Fedora 38 machine:
Storage		-fstype=nfs4,vers=4.2,sec=krb5i		(removed):/Storage

Logs are filled with the following when trying to access a share:
Apr 30 13:37:25 (removed) audit[40130]: AVC avc:  denied  { search } for  pid=40130 comm="nfsidmap" name="sss" dev="dm-0" ino=2101864 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
Apr 30 13:37:25 (removed) audit[40130]: AVC avc:  denied  { read } for  pid=40130 comm="nfsidmap" name="userdb" dev="tmpfs" ino=36 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0
SELinux is preventing nfsidmap from 'search' accesses on the directory /var/lib/sss.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that nfsidmap should be allowed search access on the sss directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nfsidmap' --raw | audit2allow -M my-nfsidmap
# semodule -X 300 -i my-nfsidmap.pp

Additional Information:
Source Context                system_u:system_r:nfsidmap_t:s0
Target Context                system_u:object_r:sssd_var_lib_t:s0
Target Objects                /var/lib/sss [ dir ]
Source                        nfsidmap
Source Path                   nfsidmap
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           sssd-common-2.8.2-4.fc38.x86_64
SELinux Policy RPM            selinux-policy-targeted-38.10-1.fc38.noarch
Local Policy RPM              selinux-policy-targeted-38.10-1.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.2.11-300.fc38.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Apr 13 20:27:09 UTC 2023
                              x86_64
Alert Count                   240
First Seen                    2023-04-18 18:45:08 MDT
Last Seen                     2023-04-29 17:48:52 MDT
Local ID                      97b36a76-af73-4d16-b197-9418f3b57f73

Raw Audit Messages
type=AVC msg=audit(1682812132.584:560): avc:  denied  { search } for  pid=17509 comm="nfsidmap" name="sss" dev="dm-0" ino=2101864 scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0


Hash: nfsidmap,nfsidmap_t,sssd_var_lib_t,dir,search

Version-Release number of selected component:
selinux-policy-targeted-38.10-1.fc38.noarch

Additional info:
reporter:       libreport-2.17.9
reason:         SELinux is preventing nfsidmap from 'search' accesses on the directory /var/lib/sss and 'read' access on userdb
package:        selinux-policy-targeted-38.10-1.fc38.noarch
kernel:         6.2.11-300.fc38.x86_64
hashmarkername: setroubleshoot
type:           libreport
component:      selinux-policy
component:      selinux-policy

Comment 1 Brendan 2023-04-30 19:51:29 UTC

Created attachment 1961291 [details]
File: os_info

Comment 2 Brendan 2023-04-30 19:51:31 UTC

Created attachment 1961292 [details]
File: description

Comment 3 Zdenek Pytela 2023-05-02 17:22:14 UTC


*** This bug has been marked as a duplicate of bug 2180611 ***

Note You need to log in before you can comment on or make changes to this bug.