Hi Stephen,
On Thu, Jan 3, 2013 at 2:41 PM, Stephen Gallagher <[email protected]>wrote:
> On Thu 03 Jan 2013 08:29:45 AM EST, Marco Pizzoli wrote:
>
>> Hi guys,
>> I'm having a problem with SELinux on my RHEL6.3 box with SSSD. I write
>> it here cause I imagine you are the best to understand where the
>> problem is :-)
>> Scenario:
>> OpenLDAP server -> Pass-Through Authentication by using CyrusSASL
>> configured to leverage PAM -> PAM configured to leverage SSSD
>> Problem: in Enforcing mode I cannot get authentication, in Permissive
>> mode yes.
>> The error I'm facing in my /var/log/audit/audit.log is:
>> type=AVC msg=audit(1357215410.532:**82682): avc: denied { connectto }
>> for pid=11638 comm="saslauthd" path="/var/lib/sss/pipes/**private/pam"
>> scontext=unconfined_u:system_**r:saslauthd_t:s0
>> tcontext=unconfined_u:**unconfined_r:unconfined_t:s0-**s0:c0.c1023
>> tclass=unix_stream_socket
>> type=SYSCALL msg=audit(1357215410.532:**82682): arch=c000003e syscall=42
>> success=no exit=-13 a0=8 a1=7fff7c1c7440 a2=6e a3=0 items=0 ppid=11635
>> pid=11638 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> fsgid=0 tty=(none) ses=5055 comm="saslauthd" exe="/usr/sbin/saslauthd"
>> subj=unconfined_u:system_r:**saslauthd_t:s0 key=(null)
>> type=USER_AUTH msg=audit(1357215410.532:**82683): user pid=11638 uid=0
>> auid=0 ses=5055 subj=unconfined_u:system_r:**saslauthd_t:s0
>> msg='op=PAM:authentication acct="pippo" exe="/usr/sbin/saslauthd"
>> hostname=? addr=? terminal=? res=failed'
>> Do you think it's a bug with the selinux-policy distributed with RHEL6.3?
>> Is there any sebool I have to toggle to being able to make saslauthd
>> connect to the sssd-pam socket?
>> Thanks in advance as usual!
>> Marco
>>
>>
> Marco, are you using the version of SSSD that shipped with RHEL 6.3?
Yes, I am.
> If so, please file this as an issue at access.redhat.com and it will get
> fixed in the SELinux policy.
Ok, I just checked this with you first.
> If you're using a custom newer version of SSSD, then you will probably
> need to manually add SELinux rules. In that case, you should probably also
> open an issue at access.redhat.com as they will be able to help you
> figure out what needs to change in the policy.
>
> Also, it might not hurt to try out the SELinux policy from the RHEL 6.4
> beta in case that fixes it for you.
>
I'm going to check with my line if we can proceed this way. In case, I'll
let you know.
Thanks for your prompt response.
Marco
> ______________________________**_________________
> sssd-users mailing list
> [email protected].**org <[email protected]>
> https://lists.fedorahosted.**org/mailman/listinfo/sssd-**users<https://lists.fedorahosted.org/mailman/listinfo/sssd-users>
>
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
