indeed I have the p11-kit modules in my nssdb, that makes sense. Thanks! //Adam
2017-10-20 16:26 GMT+02:00 Sumit Bose <[email protected]>: > On Fri, Oct 20, 2017 at 01:59:00PM +0200, Winberg, Adam wrote: > > I'm running tests with using sssd for smartcard auth as an pam_pkcs11 > > replacement. I've gotten it to work, but am getting a _lot_ of selinux > > denials. > > > > It seems that p11_child inherits the sssd selinux context and therefore > > runs in the 'sssd_t' domain. This causes problems since p11_child seems > to > > want access to a whole lot of stuff. Some examples: > > > > SELinux is preventing /usr/libexec/sssd/p11_child from search access on > the > > directory fs. > > SELinux is preventing /usr/libexec/sssd/p11_child from write access on > the > > directory /dev/hugepages. > > SELinux is preventing /usr/libexec/sssd/p11_child from write access on > the > > directory /proc/fs/nfsd. > > SELinux is preventing /usr/libexec/sssd/p11_child from write access on > the > > directory /boot. > > SELinux is preventing /usr/libexec/sssd/p11_child from write access on > the > > directory /home. > > SELinux is preventing /usr/libexec/sssd/p11_child from search access on > the > > directory /var/lib/nfs. > > SELinux is preventing /usr/libexec/sssd/p11_child from write access on > the > > directory /. > > SELinux is preventing /usr/libexec/sssd/p11_child from execute access on > > the file /run/user/60483/ffiSOUzGu (deleted). > > SELinux is preventing /usr/libexec/sssd/p11_child from write access on > the > > directory /sys/fs/fuse/connections. > > SELinux is preventing /usr/libexec/sssd/p11_child from write access on > the > > directory /dev. > > SELinux is preventing /usr/libexec/sssd/p11_child from execute access on > > the file /dev/shm/ffi8thWCx (deleted). > > SELinux is preventing /usr/libexec/sssd/p11_child from execute access on > > the file /run/ffi24njzA (deleted). > > SELinux is preventing /usr/libexec/sssd/p11_child from write access on > the > > directory /sys/kernel/config. > > SELinux is preventing /usr/libexec/sssd/p11_child from write access on > the > > directory /sys/fs/selinux. > > The p11_child code itself does not try to open anything it completely > depends on NSS to access the Smartcard. From you previous question it > looks like you have added the p11-kit modules to /etc/pki/nssdb. I would > expect that this is trying to access the file system. > > > HTH > > bye, > Sumit > > > > > > > An Sealert output: > > > > SELinux is preventing /usr/libexec/sssd/p11_child from search access on > the > > directory .config. > > > > ***** Plugin catchall (100. confidence) suggests > > ************************** > > > > If you believe that p11_child should be allowed search access on the > > .config directory by default. > > Then you should report this as a bug. > > You can generate a local policy module to allow this access. > > Do > > allow this access for now by executing: > > # ausearch -c 'p11_child' --raw | audit2allow -M my-p11child > > # semodule -i my-p11child.pp > > > > > > Additional Information: > > Source Context system_u:system_r:sssd_t:s0 > > Target Context unconfined_u:object_r:config_home_t:s0 > > Target Objects .config [ dir ] > > Source p11_child > > Source Path /usr/libexec/sssd/p11_child > > Port <Unknown> > > Host c21226.ad.smhi.se > > Source RPM Packages sssd-krb5-common-1.15.2-50.el7_4.6.x86_64 > > Target RPM Packages > > Policy RPM selinux-policy-3.13.1-166.el7_4.5.noarch > > Selinux Enabled True > > Policy Type targeted > > Enforcing Mode Enforcing > > Host Name c21226.ad.smhi.se > > Platform Linux c21226.ad.smhi.se > > 3.10.0-693.5.2.el7.x86_64 > > #1 SMP Fri Oct 13 10:46:25 EDT 2017 x86_64 > > x86_64 > > Alert Count 29 > > First Seen 2017-10-20 08:14:10 CEST > > Last Seen 2017-10-20 13:21:38 CEST > > Local ID 17d70bbe-a54d-47c3-8515-985d6646a93f > > > > Raw Audit Messages > > type=AVC msg=audit(1508498498.877:13286): avc: denied { search } for > > pid=29036 comm="krb5_child" name=".config" dev="sda2" ino=16782181 > > scontext=system_u:system_r:sssd_t:s0 > > tcontext=unconfined_u:object_r:config_home_t:s0 tclass=dir > > > > > > type=SYSCALL msg=audit(1508498498.877:13286): arch=x86_64 syscall=openat > > success=no exit=EACCES a0=ffffffffffffff9c a1=56536c43c350 a2=90800 a3=0 > > items=0 ppid=20098 pid=29036 auid=4294967295 uid=0 gid=0 euid=0 suid=0 > > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=krb5_child > > exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 > key=(null) > > > > Hash: p11_child,sssd_t,config_home_t,dir,search > > > > > > > > Whats with all the acceses, is that normal? And if so, how's that suppose > > to work while running in the 'sssd_t' context? > > > > > > Regards > > Adam > > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
