Beginning with SSSD 1.3.0 (the release candidate of which is currently in Rawhide as 1.2.91), SSSD will need 'getattr' and 'read' access to /proc/net/psched (used internally by libnl to read netlink messages). Summary: SELinux is preventing /usr/sbin/sssd "getattr" access on /proc//net/psched. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by sssd. It is not expected that this access is required by sssd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:sssd_t:s0 Target Context system_u:object_r:proc_net_t:s0 Target Objects /proc/<pid>/net/psched [ file ] Source sssd Source Path /usr/sbin/sssd Port <Unknown> Host (removed) Source RPM Packages sssd-1.2.1-15.8.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-33.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.33.5-124.fc13.x86_64 #1 SMP Fri Jun 11 09:38:12 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Thu 08 Jul 2010 01:22:15 PM EDT Last Seen Thu 08 Jul 2010 01:23:45 PM EDT Local ID 7a4e2fb4-3aa5-45f3-ac6f-759b6e7bae91 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1278609825.383:29760): avc: denied { getattr } for pid=23793 comm="sssd" path="/proc/23793/net/psched" dev=proc ino=4026531940 scontext=unconfined_u:system_r:sssd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1278609825.383:29760): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff9452c610 a2=7fff9452c610 a3=0 items=0 ppid=23792 pid=23793 auid=13041 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="sssd" exe="/usr/sbin/sssd" subj=unconfined_u:system_r:sssd_t:s0 key=(null) Hash String generated from catchall,sssd,sssd_t,proc_net_t,file,getattr audit2allow suggests: #============= sssd_t ============== allow sssd_t proc_net_t:file getattr;
Steve, is sssd going to read this file? /proc/23793/net/psched
This looks like it is in Rawhide. Miroslav add kernel_read_network_state(sssd_t)
Fixed in selinux-policy-3.7.19-38.fc13
selinux-policy-3.7.19-39.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-39.fc13
selinux-policy-3.7.19-39.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.