Red Hat Bugzilla – Bug 598191
SELinux is preventing polkitd "connectto" access on /var/lib/sss/pipes/nss.
Last modified: 2010-07-15 13:41:01 EDT
Summary: SELinux is preventing polkitd "connectto" access on /var/lib/sss/pipes/nss. Detailed Description: SELinux denied access requested by polkitd. It is not expected that this access is required by polkitd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:policykit_t:s0-s0:c0.c1023 Target Context system_u:system_r:initrc_t:s0 Target Objects /var/lib/sss/pipes/nss [ unix_stream_socket ] Source polkitd Source Path polkitd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.7.19-21.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.33.3-85.fc13.i686 #1 SMP Thu May 6 18:44:12 UTC 2010 i686 i686 Alert Count 13 First Seen Mon 31 May 2010 06:42:16 PM CEST Last Seen Mon 31 May 2010 07:13:52 PM CEST Local ID bd63ccf7-53ce-4acd-b899-32afb281337b Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1275326032.134:28764): avc: denied { connectto } for pid=1887 comm="polkitd" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket Hash String generated from catchall,polkitd,policykit_t,initrc_t,unix_stream_socket,connectto audit2allow suggests: #============= policykit_t ============== allow policykit_t initrc_t:unix_stream_socket connectto;
*** Bug 598204 has been marked as a duplicate of this bug. ***
Which process is running as initrc_t? # ps -ez | grep initrc How is '/usr/sbin/sssd' labeled? # ls -Z /usr/sbin/sssd
# ps -ez ERROR: Unsupported SysV option. ********* simple selection ********* ********* selection by list ********* -A all processes -C by command name -N negate selection -G by real group ID (supports names) -a all w/ tty except session leaders -U by real user ID (supports names) -d all except session leaders -g by session OR by effective group name -e all processes -p by process ID T all processes on this terminal -s processes in the sessions given a all w/ tty, including other users -t by tty g OBSOLETE -- DO NOT USE -u by effective user ID (supports names) r only running processes U processes for specified users x processes w/o controlling ttys t by tty *********** output format ********** *********** long options *********** -o,o user-defined -f full --Group --User --pid --cols --ppid -j,j job control s signal --group --user --sid --rows --info -O,O preloaded -o v virtual memory --cumulative --format --deselect -l,l long u user-oriented --sort --tty --forest --version -F extra full X registers --heading --no-heading --context ********* misc options ********* -V,V show version L list format codes f ASCII art forest -m,m,-L,-T,H threads S children in sum -y change -l format -M,Z security data c true command name -c scheduling class -w,w wide output n numeric WCHAN,UID -H process hierarchy # ls -Z /usr/bin/sssd -rwxr-xr-x. root root system_u:object_r:unlabeled_t:s0 /usr/sbin/sssd
(In reply to comment #3) > # ps -ez Oops, I apologize. # ps -eZ | grep initrc > > # ls -Z /usr/bin/sssd > -rwxr-xr-x. root root system_u:object_r:unlabeled_t:s0 /usr/sbin/sssd Could you try to execute # restorecon -v /usr/sbin/sssd # ls -Z /usr/sbin/sssd
This looks like sssd is running with the wrong context. Please fix the label on sssd and restart the daemon is should be running as sssd_t. ps -eZ | grep sssd Not sure how you got this mislabeled. But you might want to run a relabel on your system # fixfiles restore
*** Bug 614965 has been marked as a duplicate of this bug. ***