Bug 867002 - SELinux is preventing /usr/sbin/sshd from read access on the file /var/lib/sss/mc/passwd
Summary: SELinux is preventing /usr/sbin/sshd from read access on the file /var/lib/ss...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.4
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-10-16 14:09 UTC by Kaushik Banerjee
Modified: 2013-02-21 08:31 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.7.19-173.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-02-21 08:31:31 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0314 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-02-20 20:35:01 UTC

Description Kaushik Banerjee 2012-10-16 14:09:07 UTC
Description of problem:
SELinux is preventing /usr/sbin/sshd from read access on the file /var/lib/sss/mc/passwd

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-169.el6

How reproducible:
Always

Steps to Reproduce:
1. Setup sssd to perform a auth.
2. Try to auth as a user. Auth succeeds, but AVC appears.
  
Actual results:
On performing a auth, audit.log shows:

type=SYSCALL msg=audit(1350289695.662:350): arch=c000003e syscall=2 success=no exit=-13 a0=7ffa6e552b10 a1=80000 a2=0 a3=17 items=0 ppid=5510 pid=20718 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1350289695.662:350): avc:  denied  { read } for  pid=20718 comm="sshd" name="passwd" dev=dm-0 ino=1713209 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:sssd_var_lib_t:s0 tclass=file

Expected results:
AVC should not appear on performing a auth.

Additional info:
The following steps solves the issue:
# semanage fcontext -a -t sssd_public_t "/var/lib/sss/mc(/.*)?"
# restorecon -R -v /var/lib/sss/mc/

Comment 2 Miroslav Grepl 2012-10-17 11:26:10 UTC
We need to backport fixes from Fedora.

Comment 6 errata-xmlrpc 2013-02-21 08:31:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html


Note You need to log in before you can comment on or make changes to this bug.