Description of problem: I'm seeing AVC's for restorecond and pickup (Postfix) for 'write' on /var/lib/sss/pipes/nss. It seems sssd's socket is var_lib_t and pickup and restorecond are not allow to write to it. Why they are trying to write to that socket is beyond me, by the way. type=AVC msg=audit(1295962798.342:320): avc: denied { write } for pid=4321 comm="restorecond" name="nss" dev=dm-2 ino=1015847 scontext=user_u:system_r:restorecond_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file type=AVC msg=audit(1295960808.808:167): avc: denied { write } for pid=3970 comm="pickup" name="nss" dev=dm-2 ino=1015847 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file Version-Release number of selected component (if applicable): postfix-2.3.3-2.1.el5 policycoreutils-1.33.12-14.8.el5 sssd-1.2.1-39.el5 selinux-policy-targeted-2.4.6-300.el5 How reproducible: Always. Steps to Reproduce: 1. Install sssd (with DOMAIN/LDAP connected to OpenLDAP server over TLS) 2. Configure nsswitch.conf and system-auth to use sssd 3. Actual results: AVC's Expected results: No AVC's Additional info:
Looks like we need to back port sssd policy to RHEL5.
sssd policy is backported in selinux-policy-2.4.6-302.el5
Preview of selinux-policy-2.4.6-302.el5.noarch is available on http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: When the sssd package was installed with a domain or LDAP service connected to an OpenLDAP server over the TLS (Transport Layer Security) protocol, and the nsswitch.conf and system-auth files were configured to use sssd, SELinux blocked access and issued AVC (Access Vector Cache) messages. With this update, a backport of the sssd SELinux policy from Red Hat Enterprise Linux 6 has been provided, thus fixing this bug.
(In reply to comment #12) > Technical note added. If any revisions are required, please edit the > "Technical Notes" field > accordingly. All revisions will be proofread by the Engineering Content > Services team. > > New Contents: > When the sssd package was installed with a domain or LDAP service connected to > an OpenLDAP server over the TLS (Transport Layer Security) protocol, and the > nsswitch.conf and system-auth files were configured to use sssd, SELinux > blocked access and issued AVC (Access Vector Cache) messages. With this update, > a backport of the sssd SELinux policy from Red Hat Enterprise Linux 6 has been > provided, thus fixing this bug. I don't think the technical note is correct. First, I don't like the "installed with a domain or LDAP service" part, I think it should just say "configured with an LDAP provider". Second, I doubt the problem only occurred with OpenLDAP over TLS, I think it must be seen with any LDAP server. Also, instead of "nsswitch.conf and system-auth files were configured to use sssd" I'd just say that the system used SSSD for identity and authentication. I've modified the Technical Notes accordingly. Miroslav, since you did the actual fix, please holler if I'm wrong and I'll revert the changes in that case.
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1 +1 @@ -When the sssd package was installed with a domain or LDAP service connected to an OpenLDAP server over the TLS (Transport Layer Security) protocol, and the nsswitch.conf and system-auth files were configured to use sssd, SELinux blocked access and issued AVC (Access Vector Cache) messages. With this update, a backport of the sssd SELinux policy from Red Hat Enterprise Linux 6 has been provided, thus fixing this bug.+When the sssd package was configured with an LDAP provider, and the system was configured to use SSSD for fetching identity information and performing authentication, SELinux blocked access and issued AVC (Access Vector Cache) messages. With this update, a backport of the sssd SELinux policy from Red Hat Enterprise Linux 6 has been provided, thus fixing this bug.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html