Bug 795142 - /etc/sssd/sssd.conf incorrectly label after install, prevents sssd from running
/etc/sssd/sssd.conf incorrectly label after install, prevents sssd from running
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
17
All All
unspecified Severity high
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-02-19 12:44 EST by Orion Poplawski
Modified: 2012-02-21 18:01 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-21 18:01:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2012-02-19 12:44:57 EST
Description of problem:

Installed with 17 Alpha RC2 plus updates-testing.  After install, /etc/sssd/sssd.conf was labeled etc_runtime_t rather than etc_t.

Not sure who is responsible for making sure it is labeled correctly.

Version-Release number of selected component (if applicable):
anaconda 17.8
selinux-policy-3.10.0-89.fc17.noarch
authconfig-6.2.1-1.fc17.x86_64
Comment 1 Orion Poplawski 2012-02-19 12:53:09 EST
Also this:

type=AVC msg=audit(1329673383.656:90): avc:  denied  { getattr } for  pid=732 comm="sssd_be" path="/etc/openldap/cacerts/authconfig_downloaded.pem" dev="vda2" ino=560080 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
Comment 2 Brian Lane 2012-02-20 20:05:04 EST
anaconda doesn't create this file so selinux-policy is likely responsible.
Comment 3 Miroslav Grepl 2012-02-21 06:52:57 EST
Orion,
is only this file mislabeled?
Comment 4 Daniel Walsh 2012-02-21 08:29:49 EST
sssd.conf must be being created during first boot?  We should allow sssd to read etc_runtime_t
Comment 5 Daniel Walsh 2012-02-21 08:35:23 EST
Steve do you know how this file gets created at install time?
Comment 6 Stephen Gallagher 2012-02-21 08:39:18 EST
In recent Fedoras we don't install this as part of the RPM any longer. (The example file we'd been previously shipping was very old and wrong and people misconstrued its presence for an actual SSSD configuration). It's always created either manually or by authconfig.

In the description above, I'd say that it sounds like Orion used authconfig during the 'firstboot' process (clicking on the  "Use network authentication" button.

So this is probably an issue in authconfig policy, not SSSD policy.
Comment 7 Daniel Walsh 2012-02-21 09:06:21 EST
That still is strange, though.  authconfig would run as unconfined_t or firstboot_t which should not be creating etc_runtime_t files.

sesearch -T -t etc_t -c file | grep etc_runtime_t
   type_transition apcupsd_t etc_t : file etc_runtime_t; 
   type_transition bootloader_t etc_t : file etc_runtime_t; 
   type_transition initrc_t etc_t : file etc_runtime_t; 
   type_transition kdumpgui_t etc_t : file etc_runtime_t; 
   type_transition fsadm_t etc_t : file etc_runtime_t; 
   type_transition mount_t etc_t : file etc_runtime_t; 
   type_transition keyboardd_t etc_t : file etc_runtime_t; 
   type_transition smbmount_t etc_t : file etc_runtime_t; 
   type_transition init_t etc_t : file etc_runtime_t; 
   type_transition xend_t etc_t : file etc_runtime_t; 
   type_transition sosreport_t etc_t : file etc_runtime_t; 
   type_transition nut_upsmon_t etc_t : file etc_runtime_t; 

These are the only domains that create etc_runtime_t,  I would suspect that something is running as initrc_t.  And I agree it is probably authconfig.
Comment 8 Daniel Walsh 2012-02-21 09:15:16 EST
Orion was this machine installed when systemd was working incorrectly?  IE you could only boot in permissive mode to login?
Comment 9 Orion Poplawski 2012-02-21 10:46:12 EST
The file is being created by authconfig at the end of the kickstart install (just before %post I think).  /etc/sssd/sssd.conf and /etc/openldap/cacerts/authconfig_downloaded.pem (also created by authconfig) were mislabled.  A:

# restorecon -r -v /etc /var

turns up a few more:

restorecon reset /etc/mail/access.db context system_u:object_r:etc_aliases_t:s0->system_u:object_r:etc_mail_t:s0
restorecon reset /etc/mail/mailertable.db context system_u:object_r:etc_aliases_t:s0->system_u:object_r:etc_mail_t:s0
restorecon reset /etc/mail/aliasesdb-stamp context system_u:object_r:etc_aliases_t:s0->system_u:object_r:etc_mail_t:s0
restorecon reset /etc/mail/virtusertable.db context system_u:object_r:etc_aliases_t:s0->system_u:object_r:etc_mail_t:s0
restorecon reset /etc/mail/domaintable.db context system_u:object_r:etc_aliases_t:s0->system_u:object_r:etc_mail_t:s0
restorecon reset /etc/smolt/hw-uuid context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/system_facts context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/machine-id context system_u:object_r:etc_t:s0->system_u:object_r:etc_runtime_t:s0
restorecon reset /etc/login.defs context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/lib/texmf/web2c/metapost/mpost.mem context system_u:object_r:rpm_script_tmp_t:s0->system_u:object_r:tetex_data_t:s0
(lots more tex files omitted)

The etc_runtime_t files were created in %post, and the tex file created during rpm %post at install.  Not sure about the /etc/mail files.
Comment 10 Orion Poplawski 2012-02-21 10:46:47 EST
I did not have a problem with systemd at install.
Comment 11 Orion Poplawski 2012-02-21 18:01:02 EST
Just installed with Alpha RC4 and the files seem labeled properly.

Note You need to log in before you can comment on or make changes to this bug.