[prev in list] [next in list] [prev in thread] [next in thread]
List: sssd-users
Subject: =?utf-8?q?=5BSSSD-users=5D?= p11_child selinux woes
From: "Winberg, Adam" <adam.winberg () smhi ! se>
Date: 2017-10-20 11:59:00
Message-ID: CAHSGfp+8igiOvZ80YEK4F9zQEyzquwqoUFxC_iWcOGUYnG6mOQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
I'm running tests with using sssd for smartcard auth as an pam_pkcs11
replacement. I've gotten it to work, but am getting a _lot_ of selinux
denials.
It seems that p11_child inherits the sssd selinux context and therefore
runs in the 'sssd_t' domain. This causes problems since p11_child seems to
want access to a whole lot of stuff. Some examples:
SELinux is preventing /usr/libexec/sssd/p11_child from search access on the
directory fs.
SELinux is preventing /usr/libexec/sssd/p11_child from write access on the
directory /dev/hugepages.
SELinux is preventing /usr/libexec/sssd/p11_child from write access on the
directory /proc/fs/nfsd.
SELinux is preventing /usr/libexec/sssd/p11_child from write access on the
directory /boot.
SELinux is preventing /usr/libexec/sssd/p11_child from write access on the
directory /home.
SELinux is preventing /usr/libexec/sssd/p11_child from search access on the
directory /var/lib/nfs.
SELinux is preventing /usr/libexec/sssd/p11_child from write access on the
directory /.
SELinux is preventing /usr/libexec/sssd/p11_child from execute access on
the file /run/user/60483/ffiSOUzGu (deleted).
SELinux is preventing /usr/libexec/sssd/p11_child from write access on the
directory /sys/fs/fuse/connections.
SELinux is preventing /usr/libexec/sssd/p11_child from write access on the
directory /dev.
SELinux is preventing /usr/libexec/sssd/p11_child from execute access on
the file /dev/shm/ffi8thWCx (deleted).
SELinux is preventing /usr/libexec/sssd/p11_child from execute access on
the file /run/ffi24njzA (deleted).
SELinux is preventing /usr/libexec/sssd/p11_child from write access on the
directory /sys/kernel/config.
SELinux is preventing /usr/libexec/sssd/p11_child from write access on the
directory /sys/fs/selinux.
An Sealert output:
SELinux is preventing /usr/libexec/sssd/p11_child from search access on the
directory .config.
***** Plugin catchall (100. confidence) suggests
**************************
If you believe that p11_child should be allowed search access on the
.config directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'p11_child' --raw | audit2allow -M my-p11child
# semodule -i my-p11child.pp
Additional Information:
Source Context system_u:system_r:sssd_t:s0
Target Context unconfined_u:object_r:config_home_t:s0
Target Objects .config [ dir ]
Source p11_child
Source Path /usr/libexec/sssd/p11_child
Port <Unknown>
Host c21226.ad.smhi.se
Source RPM Packages sssd-krb5-common-1.15.2-50.el7_4.6.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-166.el7_4.5.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name c21226.ad.smhi.se
Platform Linux c21226.ad.smhi.se
3.10.0-693.5.2.el7.x86_64
#1 SMP Fri Oct 13 10:46:25 EDT 2017 x86_64
x86_64
Alert Count 29
First Seen 2017-10-20 08:14:10 CEST
Last Seen 2017-10-20 13:21:38 CEST
Local ID 17d70bbe-a54d-47c3-8515-985d6646a93f
Raw Audit Messages
type=AVC msg=audit(1508498498.877:13286): avc: denied { search } for
pid=29036 comm="krb5_child" name=".config" dev="sda2" ino=16782181
scontext=system_u:system_r:sssd_t:s0
tcontext=unconfined_u:object_r:config_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1508498498.877:13286): arch=x86_64 syscall=openat
success=no exit=EACCES a0=ffffffffffffff9c a1=56536c43c350 a2=90800 a3=0
items=0 ppid=20098 pid=29036 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=krb5_child
exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 key=(null)
Hash: p11_child,sssd_t,config_home_t,dir,search
Whats with all the acceses, is that normal? And if so, how's that suppose
to work while running in the 'sssd_t' context?
Regards
Adam
[Attachment #5 (text/html)]
<div dir="ltr">I'm running tests with using sssd for smartcard auth as an \
pam_pkcs11 replacement. I've gotten it to work, but am getting a _lot_ of selinux \
denials. <div><br></div><div>It seems that p11_child inherits the sssd selinux \
context and therefore runs in the 'sssd_t' domain. This causes problems since \
p11_child seems to want access to a whole lot of stuff. Some \
examples:</div><div><br></div><div><div><font face="monospace, monospace" \
size="1">SELinux is preventing /usr/libexec/sssd/p11_child from search access on the \
directory fs.</font></div><div><font face="monospace, monospace" size="1">SELinux is \
preventing /usr/libexec/sssd/p11_child from write access on the directory \
/dev/hugepages.</font></div><div><font face="monospace, monospace" size="1">SELinux \
is preventing /usr/libexec/sssd/p11_child from write access on the directory \
/proc/fs/nfsd.</font></div><div><font face="monospace, monospace" size="1">SELinux is \
preventing /usr/libexec/sssd/p11_child from write access on the directory \
/boot.</font></div><div><font face="monospace, monospace" size="1">SELinux is \
preventing /usr/libexec/sssd/p11_child from write access on the directory \
/home.</font></div><div><font face="monospace, monospace" size="1">SELinux is \
preventing /usr/libexec/sssd/p11_child from search access on the directory \
/var/lib/nfs.</font></div><div><font face="monospace, monospace" size="1">SELinux is \
preventing /usr/libexec/sssd/p11_child from write access on the directory \
/.</font></div><div><span \
style="font-family:monospace,monospace;font-size:x-small">SELinux is preventing \
/usr/libexec/sssd/p11_child from execute access on the file /run/user/60483/ffiSOUzGu \
(deleted).</span><br></div><div><span \
style="font-family:monospace,monospace;font-size:x-small">SELinux is preventing \
/usr/libexec/sssd/p11_child from write access on the directory \
/sys/fs/fuse/connections.</span><br></div><div><span \
style="font-family:monospace,monospace;font-size:x-small">SELinux is preventing \
/usr/libexec/sssd/p11_child from write access on the directory \
/dev.</span><br></div><div><font face="monospace, monospace" size="1">SELinux is \
preventing /usr/libexec/sssd/p11_child from execute access on the file \
/dev/shm/ffi8thWCx (deleted).</font></div><div><font face="monospace, monospace" \
size="1">SELinux is preventing /usr/libexec/sssd/p11_child from execute access on the \
file /run/ffi24njzA (deleted).</font></div><div><font face="monospace, monospace" \
size="1">SELinux is preventing /usr/libexec/sssd/p11_child from write access on the \
directory /sys/kernel/config.</font></div><div><span \
style="font-family:monospace,monospace;font-size:x-small">SELinux is preventing \
/usr/libexec/sssd/p11_child from write access on the directory \
/sys/fs/selinux.</span><br></div></div><div><br></div><div><br></div><div>An Sealert \
output:</div><div><br></div><div><div><font face="monospace, monospace" \
size="1">SELinux is preventing /usr/libexec/sssd/p11_child from search access on the \
directory .config.</font></div><div><font face="monospace, monospace" \
size="1"><br></font></div><div><font face="monospace, monospace" size="1">***** \
Plugin catchall (100. confidence) suggests \
**************************</font></div><div><font face="monospace, monospace" \
size="1"><br></font></div><div><font face="monospace, monospace" size="1">If you \
believe that p11_child should be allowed search access on the .config directory by \
default.</font></div><div><font face="monospace, monospace" size="1">Then you should \
report this as a bug.</font></div><div><font face="monospace, monospace" size="1">You \
can generate a local policy module to allow this access.</font></div><div><font \
face="monospace, monospace" size="1">Do</font></div><div><font face="monospace, \
monospace" size="1">allow this access for now by executing:</font></div><div><font \
face="monospace, monospace" size="1"># ausearch -c 'p11_child' --raw | \
audit2allow -M my-p11child</font></div><div><font face="monospace, monospace" \
size="1"># semodule -i my-p11child.pp</font></div><div><font face="monospace, \
monospace" size="1"><br></font></div><div><font face="monospace, monospace" \
size="1"><br></font></div><div><font face="monospace, monospace" size="1">Additional \
Information:</font></div><div><font face="monospace, monospace" size="1">Source \
Context system_u:system_r:sssd_t:s0</font></div><div><font \
face="monospace, monospace" size="1">Target Context \
unconfined_u:object_r:config_home_t:s0</font></div><div><font face="monospace, \
monospace" size="1">Target Objects .config [ dir \
]</font></div><div><font face="monospace, monospace" size="1">Source \
p11_child</font></div><div><font face="monospace, monospace" size="1">Source Path \
/usr/libexec/sssd/p11_child</font></div><div><font face="monospace, monospace" \
size="1">Port \
<Unknown></font></div><div><font face="monospace, monospace" size="1">Host \
<a href="http://c21226.ad.smhi.se">c21226.ad.smhi.se</a></font></div><div><font \
face="monospace, monospace" size="1">Source RPM Packages \
sssd-krb5-common-1.15.2-50.el7_4.6.x86_64</font></div><div><font face="monospace, \
monospace" size="1">Target RPM Packages </font></div><div><font \
face="monospace, monospace" size="1">Policy RPM \
selinux-policy-3.13.1-166.el7_4.5.noarch</font></div><div><font face="monospace, \
monospace" size="1">Selinux Enabled True</font></div><div><font \
face="monospace, monospace" size="1">Policy Type \
targeted</font></div><div><font face="monospace, monospace" size="1">Enforcing Mode \
Enforcing</font></div><div><font face="monospace, monospace" size="1">Host Name \
<a href="http://c21226.ad.smhi.se">c21226.ad.smhi.se</a></font></div><div><font \
face="monospace, monospace" size="1">Platform Linux \
<a href="http://c21226.ad.smhi.se">c21226.ad.smhi.se</a> \
3.10.0-693.5.2.el7.x86_64</font></div><div><font face="monospace, monospace" \
size="1"> #1 SMP Fri Oct 13 10:46:25 EDT \
2017 x86_64 x86_64</font></div><div><font face="monospace, monospace" size="1">Alert \
Count 29</font></div><div><font face="monospace, \
monospace" size="1">First Seen 2017-10-20 08:14:10 \
CEST</font></div><div><font face="monospace, monospace" size="1">Last Seen \
2017-10-20 13:21:38 CEST</font></div><div><font face="monospace, monospace" \
size="1">Local ID \
17d70bbe-a54d-47c3-8515-985d6646a93f</font></div><div><font face="monospace, \
monospace" size="1"><br></font></div><div><font face="monospace, monospace" \
size="1">Raw Audit Messages</font></div><div><font face="monospace, monospace" \
size="1">type=AVC msg=audit(1508498498.877:13286): avc: denied { search } for \
pid=29036 comm="krb5_child" name=".config" dev="sda2" \
ino=16782181 scontext=system_u:system_r:sssd_t:s0 \
tcontext=unconfined_u:object_r:config_home_t:s0 tclass=dir</font></div><div><font \
face="monospace, monospace" size="1"><br></font></div><div><font face="monospace, \
monospace" size="1"><br></font></div><div><font face="monospace, monospace" \
size="1">type=SYSCALL msg=audit(1508498498.877:13286): arch=x86_64 syscall=openat \
success=no exit=EACCES a0=ffffffffffffff9c a1=56536c43c350 a2=90800 a3=0 items=0 \
ppid=20098 pid=29036 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 \
fsgid=0 tty=(none) ses=4294967295 comm=krb5_child exe=/usr/libexec/sssd/krb5_child \
subj=system_u:system_r:sssd_t:s0 key=(null)</font></div><div><font face="monospace, \
monospace" size="1"><br></font></div><div><font face="monospace, monospace" \
size="1">Hash: p11_child,sssd_t,config_home_t,dir,search</font></div></div><div><br></div><div><br></div><div><br></div><div>Whats \
with all the acceses, is that normal? And if so, how's that suppose to work while \
running in the 'sssd_t' \
context?<br></div><div><br></div><div><br></div><div>Regards</div><div>Adam \
</div><div><br></div><div><br></div></div>
[Attachment #6 (text/plain)]
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic