Bug 672540 - SELinux avc's for /var/lib/sss/pipes/nss
SELinux avc's for /var/lib/sss/pipes/nss
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.8
All Linux
urgent Severity high
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
: ZStream
Depends On:
Blocks: 712133
  Show dependency treegraph
 
Reported: 2011-01-25 08:55 EST by Maxim Burgerhout
Modified: 2012-10-16 07:03 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
When the sssd package was configured with an LDAP provider, and the system was configured to use SSSD for fetching identity information and performing authentication, SELinux blocked access and issued AVC (Access Vector Cache) messages. With this update, a backport of the sssd SELinux policy from Red Hat Enterprise Linux 6 has been provided, thus fixing this bug.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-21 05:18:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Maxim Burgerhout 2011-01-25 08:55:39 EST
Description of problem:
I'm seeing AVC's for restorecond and pickup (Postfix) for 'write' on /var/lib/sss/pipes/nss. It seems sssd's socket is var_lib_t and pickup and restorecond are not allow to write to it. Why they are trying to write to that socket is beyond me, by the way. 

type=AVC msg=audit(1295962798.342:320): avc:  denied  { write } for  pid=4321 comm="restorecond" name="nss" dev=dm-2 ino=1015847 scontext=user_u:system_r:restorecond_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file

type=AVC msg=audit(1295960808.808:167): avc:  denied  { write } for  pid=3970 comm="pickup" name="nss" dev=dm-2 ino=1015847 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file

Version-Release number of selected component (if applicable):
postfix-2.3.3-2.1.el5
policycoreutils-1.33.12-14.8.el5
sssd-1.2.1-39.el5
selinux-policy-targeted-2.4.6-300.el5

How reproducible:
Always.

Steps to Reproduce:
1. Install sssd (with DOMAIN/LDAP connected to OpenLDAP server over TLS)
2. Configure nsswitch.conf and system-auth to use sssd
3.
  
Actual results:
AVC's

Expected results:
No AVC's

Additional info:
Comment 1 Daniel Walsh 2011-01-25 09:18:04 EST
Looks like we need to back port sssd policy to RHEL5.
Comment 4 Miroslav Grepl 2011-03-02 10:59:59 EST
sssd policy is backported in selinux-policy-2.4.6-302.el5
Comment 8 Miroslav Grepl 2011-03-02 16:58:59 EST
Preview of selinux-policy-2.4.6-302.el5.noarch is available on

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Comment 12 Tomas Capek 2011-07-15 09:10:30 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
When the sssd package was installed with a domain or LDAP service connected to an OpenLDAP server over the TLS (Transport Layer Security) protocol, and the nsswitch.conf and system-auth files were configured to use sssd, SELinux blocked access and issued AVC (Access Vector Cache) messages. With this update, a backport of the sssd SELinux policy from Red Hat Enterprise Linux 6 has been provided, thus fixing this bug.
Comment 13 Jakub Hrozek 2011-07-15 09:45:53 EDT
(In reply to comment #12)
>     Technical note added. If any revisions are required, please edit the
> "Technical Notes" field
>     accordingly. All revisions will be proofread by the Engineering Content
> Services team.
> 
>     New Contents:
> When the sssd package was installed with a domain or LDAP service connected to
> an OpenLDAP server over the TLS (Transport Layer Security) protocol, and the
> nsswitch.conf and system-auth files were configured to use sssd, SELinux
> blocked access and issued AVC (Access Vector Cache) messages. With this update,
> a backport of the sssd SELinux policy from Red Hat Enterprise Linux 6 has been
> provided, thus fixing this bug.

I don't think the technical note is correct. First, I don't like the "installed with a domain or LDAP service" part, I think it should just say "configured with an LDAP provider". Second, I doubt the problem only occurred with OpenLDAP over TLS, I think it must be seen with any LDAP server.

Also, instead of "nsswitch.conf and system-auth files were configured to use sssd" I'd just say that the system used SSSD for identity and authentication.

I've modified the Technical Notes accordingly. Miroslav, since you did the actual fix, please holler if I'm wrong and I'll revert the changes in that case.
Comment 14 Jakub Hrozek 2011-07-15 09:45:53 EDT
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-When the sssd package was installed with a domain or LDAP service connected to an OpenLDAP server over the TLS (Transport Layer Security) protocol, and the nsswitch.conf and system-auth files were configured to use sssd, SELinux blocked access and issued AVC (Access Vector Cache) messages. With this update, a backport of the sssd SELinux policy from Red Hat Enterprise Linux 6 has been provided, thus fixing this bug.+When the sssd package was configured with an LDAP provider, and the system was configured to use SSSD for fetching identity information and performing authentication, SELinux blocked access and issued AVC (Access Vector Cache) messages. With this update, a backport of the sssd SELinux policy from Red Hat Enterprise Linux 6 has been provided, thus fixing this bug.
Comment 15 errata-xmlrpc 2011-07-21 05:18:43 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Comment 16 errata-xmlrpc 2011-07-21 07:51:56 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html

Note You need to log in before you can comment on or make changes to this bug.