ehlo,
Root can read anything from any directory even with permissions 000.
However SELinux checks discretionary access control (DAC)
and deny access if access is not allowed for root by DAC.
The pam_sss use different unix socket /var/lib/sss/pipes/private/pam
for user with uid 0. Therefore root need to be able read content
of directory with private pipes.
type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied
{ dac_read_search } for pid=20257 comm=vsftpd capability=dac_read_search
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied
{ dac_override } for pid=20257 comm=vsftpd capability=dac_override
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
LS
>From 1aaede685d2062eee3fac33b08101ae81786a988 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lsleb...@redhat.com>
Date: Fri, 19 Aug 2016 10:46:12 +0200
Subject: [PATCH] BUILD: Allow to read private pipes for root
Root can read anything from any directory even with permissions 000.
However SELinux checks discretionary access control (DAC)
and deny access if access is not allowed for root by DAC.
The pam_sss use different unix socket /var/lib/sss/pipes/private/pam
for user with uid 0. Therefore root need to be able read content
of directory with private pipes.
type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied
{ dac_read_search } for pid=20257 comm=vsftpd capability=dac_read_search
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied
{ dac_override } for pid=20257 comm=vsftpd capability=dac_override
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
Resolves:
https://fedorahosted.org/sssd/ticket/3143
---
Makefile.am | 8 ++++----
contrib/sssd.spec.in | 2 +-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index
8b9240f4485c0bce976fdabff6904e648f44356e..6219682de0d1fd4b3a813ee2f95b8185531e62bf
100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3952,7 +3952,6 @@ SSSD_USER_DIRS = \
$(DESTDIR)$(keytabdir) \
$(DESTDIR)$(mcpath) \
$(DESTDIR)$(pipepath) \
- $(DESTDIR)$(pipepath)/private \
$(DESTDIR)$(pubconfpath) \
$(DESTDIR)$(pubconfpath)/krb5.include.d \
$(DESTDIR)$(gpocachepath) \
@@ -3979,16 +3978,17 @@ installsssddirs::
$(DESTDIR)$(sssddatadir) \
$(DESTDIR)$(sudolibdir) \
$(DESTDIR)$(autofslibdir) \
+ $(DESTDIR)$(pipepath)/private \
$(SSSD_USER_DIRS) \
$(NULL);
if SSSD_USER
- -chown $(SSSD_USER):$(SSSD_USER) \
- $(SSSD_USER_DIRS)
+ -chown $(SSSD_USER):$(SSSD_USER) $(SSSD_USER_DIRS)
+ -chown $(SSSD_USER) $(DESTDIR)$(pipepath)/private
endif
$(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \
- $(DESTDIR)$(pipepath)/private \
$(DESTDIR)$(keytabdir) \
$(NULL)
+ $(INSTALL) -d -m 0750 $(DESTDIR)$(pipepath)/private
$(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) \
$(DESTDIR)$(pubconfpath) \
$(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index
24af8d518bd065388b14d812de7c1c61975f0cca..1e058ca63c25513253c4b350d286208f40f6b660
100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -791,7 +791,7 @@ done
%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/group
%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups
%attr(755,sssd,sssd) %dir %{pipepath}
-%attr(700,sssd,sssd) %dir %{pipepath}/private
+%attr(750,sssd,root) %dir %{pipepath}/private
%attr(755,sssd,sssd) %dir %{pubconfpath}
%attr(755,sssd,sssd) %dir %{gpocachepath}
%attr(750,sssd,sssd) %dir %{_var}/log/%{name}
--
2.9.3
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
