This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 833230 - sssd unable to create pipes and read files with selinux enforcing
sssd unable to create pipes and read files with selinux enforcing
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
unspecified Severity high
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2012-06-18 20:15 EDT by lance dillon
Modified: 2012-06-19 09:23 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-06-19 09:23:45 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description lance dillon 2012-06-18 20:15:45 EDT
Description of problem:
sssd unable to create pipes under /var/lib/sss/pipes, or read krb5 cache file in /tmp

Version-Release number of selected component (if applicable):

How reproducible:
install ipa-client, or service sssd start/restart
Comment 1 lance dillon 2012-06-18 20:18:14 EDT
The following policy file solved the problem for me:

policy_module(sq_sssd, 1.3)

require {
    type sssd_t;
    type sssd_var_lib_t;
    type tmp_t;
    class lnk_file { read write create };
    class file { getattr read };

#============= sssd_t ==============
allow sssd_t sssd_var_lib_t:lnk_file { create read write };
allow sssd_t tmp_t:file { getattr read };

This of course could probably be shortened with macros.
Comment 2 Milos Malik 2012-06-19 02:39:51 EDT
Which version of selinux-policy packages is installed on your machine?
Comment 3 lance dillon 2012-06-19 07:49:58 EDT
Comment 4 lance dillon 2012-06-19 07:54:32 EDT
Just had an additional entry in audit.log, audit2allow reported this:

#============= sssd_t ==============
allow sssd_t tmp_t:file { read lock getattr unlink };
Comment 5 Stephen Gallagher 2012-06-19 08:33:47 EDT
Please include the original AVCs that you were seeing as well.
Comment 6 lance dillon 2012-06-19 09:21:06 EDT
Upon further investigation and discussion on #sssd, it appears that selinux-policy may have been updated after sssd was started, so the policy wasn't applied yet.  I'm not encountering the problem currently, can't seem to reproduce (I've tried on a couple of different systems), so I'm going to close this, if I can.

Note You need to log in before you can comment on or make changes to this bug.