URL: https://github.com/SSSD/sssd/pull/94 Title: #94: Enable {socket,dbus}-activation for responders
lslebodn commented: """ On (12/12/16 03:40), Jakub Hrozek wrote: >1. There were some SELinux denials on my test VM, but granted, I run F-24 >there. We need to make sure that no SELinux AVC denials are present in Fedora >later. > This is expected because responders are started directly by systemd and not by sssd daemon and these binaries have different SELinux file context ``` sh# matchpathcon /usr/sbin/sssd /usr/libexec/sssd/sssd_* /usr/sbin/sssd system_u:object_r:sssd_exec_t:s0 /usr/libexec/sssd/sssd_autofs system_u:object_r:bin_t:s0 /usr/libexec/sssd/sssd_be system_u:object_r:bin_t:s0 /usr/libexec/sssd/sssd_ifp system_u:object_r:bin_t:s0 /usr/libexec/sssd/sssd_nss system_u:object_r:bin_t:s0 /usr/libexec/sssd/sssd_pac system_u:object_r:bin_t:s0 /usr/libexec/sssd/sssd_pam system_u:object_r:bin_t:s0 /usr/libexec/sssd/sssd_secrets system_u:object_r:bin_t:s0 /usr/libexec/sssd/sssd_ssh system_u:object_r:bin_t:s0 /usr/libexec/sssd/sssd_sudo system_u:object_r:bin_t:s0 ``` For testing purposes it should be enough to manually change file context. e.g. ``` sh# chcon system_u:object_r:sssd_exec_t:s0 /usr/libexec/sssd/sssd_nss ``` But I am not sure wheter sssd daemon will be able to exec executables with changed context. (old method of starting responders) Anyway, selinux-policy will need to be updated. LS """ See the full comment at https://github.com/SSSD/sssd/pull/94#issuecomment-266423210
_______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
