Bug 795142 - /etc/sssd/sssd.conf incorrectly label after install, prevents sssd from running
Summary: /etc/sssd/sssd.conf incorrectly label after install, prevents sssd from running
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: authconfig
Version: 17
Hardware: All
OS: All
unspecified
high
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-02-19 17:44 UTC by Orion Poplawski
Modified: 2012-02-21 23:01 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-21 23:01:02 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Orion Poplawski 2012-02-19 17:44:57 UTC 
Description of problem:

Installed with 17 Alpha RC2 plus updates-testing.  After install, /etc/sssd/sssd.conf was labeled etc_runtime_t rather than etc_t.

Not sure who is responsible for making sure it is labeled correctly.

Version-Release number of selected component (if applicable):
anaconda 17.8
selinux-policy-3.10.0-89.fc17.noarch
authconfig-6.2.1-1.fc17.x86_64
Comment 1 Orion Poplawski 2012-02-19 17:53:09 UTC 
Also this:

type=AVC msg=audit(1329673383.656:90): avc:  denied  { getattr } for  pid=732 comm="sssd_be" path="/etc/openldap/cacerts/authconfig_downloaded.pem" dev="vda2" ino=560080 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
Comment 2 Brian Lane 2012-02-21 01:05:04 UTC 
anaconda doesn't create this file so selinux-policy is likely responsible.
Comment 3 Miroslav Grepl 2012-02-21 11:52:57 UTC 
Orion,
is only this file mislabeled?
Comment 4 Daniel Walsh 2012-02-21 13:29:49 UTC 
sssd.conf must be being created during first boot?  We should allow sssd to read etc_runtime_t
Comment 5 Daniel Walsh 2012-02-21 13:35:23 UTC 
Steve do you know how this file gets created at install time?
Comment 6 Stephen Gallagher 2012-02-21 13:39:18 UTC 
In recent Fedoras we don't install this as part of the RPM any longer. (The example file we'd been previously shipping was very old and wrong and people misconstrued its presence for an actual SSSD configuration). It's always created either manually or by authconfig.

In the description above, I'd say that it sounds like Orion used authconfig during the 'firstboot' process (clicking on the  "Use network authentication" button.

So this is probably an issue in authconfig policy, not SSSD policy.
Comment 7 Daniel Walsh 2012-02-21 14:06:21 UTC 
That still is strange, though.  authconfig would run as unconfined_t or firstboot_t which should not be creating etc_runtime_t files.

sesearch -T -t etc_t -c file | grep etc_runtime_t
   type_transition apcupsd_t etc_t : file etc_runtime_t; 
   type_transition bootloader_t etc_t : file etc_runtime_t; 
   type_transition initrc_t etc_t : file etc_runtime_t; 
   type_transition kdumpgui_t etc_t : file etc_runtime_t; 
   type_transition fsadm_t etc_t : file etc_runtime_t; 
   type_transition mount_t etc_t : file etc_runtime_t; 
   type_transition keyboardd_t etc_t : file etc_runtime_t; 
   type_transition smbmount_t etc_t : file etc_runtime_t; 
   type_transition init_t etc_t : file etc_runtime_t; 
   type_transition xend_t etc_t : file etc_runtime_t; 
   type_transition sosreport_t etc_t : file etc_runtime_t; 
   type_transition nut_upsmon_t etc_t : file etc_runtime_t; 

These are the only domains that create etc_runtime_t,  I would suspect that something is running as initrc_t.  And I agree it is probably authconfig.
Comment 8 Daniel Walsh 2012-02-21 14:15:16 UTC 
Orion was this machine installed when systemd was working incorrectly?  IE you could only boot in permissive mode to login?
Comment 9 Orion Poplawski 2012-02-21 15:46:12 UTC 
The file is being created by authconfig at the end of the kickstart install (just before %post I think).  /etc/sssd/sssd.conf and /etc/openldap/cacerts/authconfig_downloaded.pem (also created by authconfig) were mislabled.  A:

# restorecon -r -v /etc /var

turns up a few more:

restorecon reset /etc/mail/access.db context system_u:object_r:etc_aliases_t:s0->system_u:object_r:etc_mail_t:s0
restorecon reset /etc/mail/mailertable.db context system_u:object_r:etc_aliases_t:s0->system_u:object_r:etc_mail_t:s0
restorecon reset /etc/mail/aliasesdb-stamp context system_u:object_r:etc_aliases_t:s0->system_u:object_r:etc_mail_t:s0
restorecon reset /etc/mail/virtusertable.db context system_u:object_r:etc_aliases_t:s0->system_u:object_r:etc_mail_t:s0
restorecon reset /etc/mail/domaintable.db context system_u:object_r:etc_aliases_t:s0->system_u:object_r:etc_mail_t:s0
restorecon reset /etc/smolt/hw-uuid context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/system_facts context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/machine-id context system_u:object_r:etc_t:s0->system_u:object_r:etc_runtime_t:s0
restorecon reset /etc/login.defs context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/lib/texmf/web2c/metapost/mpost.mem context system_u:object_r:rpm_script_tmp_t:s0->system_u:object_r:tetex_data_t:s0
(lots more tex files omitted)

The etc_runtime_t files were created in %post, and the tex file created during rpm %post at install.  Not sure about the /etc/mail files.
Comment 10 Orion Poplawski 2012-02-21 15:46:47 UTC 
I did not have a problem with systemd at install.
Comment 11 Orion Poplawski 2012-02-21 23:01:02 UTC 
Just installed with Alpha RC4 and the files seem labeled properly.
Note You need to log in before you can comment on or make changes to this bug.