Bug 746265 - sssd needs to be allowed to create, delete and read symlinks in /var/lib/sss/pipes/private
Summary: sssd needs to be allowed to create, delete and read symlinks in /var/lib/sss/...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.2
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
: 746665 (view as bug list)
Depends On:
Blocks: 743841 748554 748898 749255 754121
TreeView+ depends on / blocked
 
Reported: 2011-10-14 15:06 UTC by Jakub Hrozek
Modified: 2012-10-16 11:03 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.7.19-118.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 747608 754121 (view as bug list)
Environment:
Last Closed: 2011-12-06 10:20:01 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Jakub Hrozek 2011-10-14 15:06:20 UTC 
Description of problem:
The fix for https://bugzilla.redhat.com/show_bug.cgi?id=743841 included creating a symlink to a dbus socket in the /var/lib/sss/pipes/private directory. However, the selinux-policy must be tweaked in order to allow SSSD to manage symlinks there.

This BZ is a dependency of https://bugzilla.redhat.com/show_bug.cgi?id=743841

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-117.el6

How reproducible:
always

Steps to Reproduce:
1. install RHEL6.2 candidate SSSD (sssd-1.5.1-56 or newer)
2. service sssd start
3.
  
Actual results:
AVC denials

Expected results:
no AVC denials

Additional info:
Code-wise, we do:
 * symlink
 * stat
 * readlink
 * unlink

symlink, readlink and unlink on the symlink are only be called from sssd_be now, stat is done from the other sssd processes as well
Comment 1 Jakub Hrozek 2011-10-14 15:12:46 UTC 
type=AVC msg=audit(1318596215.810:92920): avc:  denied  { create } for  pid=19521 comm="sssd_be" name="sbus-dp_AD" scontext=unconfined_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:sssd_var_lib_t:s0 tclass=lnk_file

type=AVC msg=audit(1318597994.204:92998): avc:  denied  { read } for  pid=19521 comm="sssd_be" name="sbus-dp_AD" dev=dm-0 ino=1833784 scontext=unconfined_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:sssd_var_lib_t:s0 tclass=lnk_file

type=AVC msg=audit(1318597994.204:92999): avc:  denied  { unlink } for  pid=19521 comm="sssd_be" name="sbus-dp_AD" dev=dm-0 ino=1833784 scontext=unconfined_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:sssd_var_lib_t:s0 tclass=lnk_file

type=AVC msg=audit(1318596216.167:92921): avc:  denied  { read } for  pid=19522 comm="sssd_nss" name="sbus-dp_AD" dev=dm-0 ino=1833784 scontext=unconfined_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:sssd_var_lib_t:s0 tclass=lnk_file
Comment 3 Stephen Gallagher 2011-10-17 13:17:43 UTC 
*** Bug 746665 has been marked as a duplicate of this bug. ***
Comment 4 Miroslav Grepl 2011-10-17 13:31:40 UTC 
Ok, I will fix it in this case.
Comment 9 Miroslav Grepl 2011-10-18 16:51:57 UTC 
Fixed in selinux-policy-3.7.19-118.el6.noarch

# sesearch -A -s sssd_t -t sssd_var_lib_t -c lnk_file
Found 1 semantic av rules:
   allow sssd_t sssd_var_lib_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ;
Comment 14 errata-xmlrpc 2011-12-06 10:20:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html
Note You need to log in before you can comment on or make changes to this bug.