Summary: SELinux is preventing /lib64/dbus-1/dbus-daemon-launch-helper "connectto" access on /var/lib/sss/pipes/nss. Detailed Description: SELinux denied access requested by dbus-daemon-lau. It is not expected that this access is required by dbus-daemon-lau and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects /var/lib/sss/pipes/nss [ unix_stream_socket ] Source dbus-daemon-lau Source Path /lib64/dbus-1/dbus-daemon-launch-helper Port <Unknown> Host (removed) Source RPM Packages dbus-1.2.24-1.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-10.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.33.3-85.fc13.x86_64 #1 SMP Thu May 6 18:09:49 UTC 2010 x86_64 x86_64 Alert Count 9 First Seen Thu 15 Jul 2010 10:04:13 BST Last Seen Thu 15 Jul 2010 17:03:14 BST Local ID 059dff91-10f9-486b-aad1-676c20664337 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1279209794.143:33767): avc: denied { connectto } for pid=4437 comm="dbus-daemon-lau" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=(removed) type=SYSCALL msg=audit(1279209794.143:33767): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff207dfcb0 a2=6e a3=7fff207df920 items=0 ppid=4436 pid=4437 auid=4294967295 uid=81 gid=81 euid=0 suid=0 fsuid=0 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon-lau" exe="/lib64/dbus-1/dbus-daemon-launch-helper" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,dbus-daemon-lau,system_dbusd_t,unconfined_t,unix_stream_socket,connectto audit2allow suggests: #============= system_dbusd_t ============== #!!!! This avc is allowed in the current policy allow system_dbusd_t unconfined_t:unix_stream_socket connectto;
Are you starting sssd by hand instead of using the service script?
Looks like an update has fixed this. #============= system_dbusd_t ============== #!!!! This avc is allowed in the current policy allow system_dbusd_t unconfined_t:unix_stream_socket connectto;