indeed I have the p11-kit modules in my nssdb, that makes sense. Thanks!

//Adam

2017-10-20 16:26 GMT+02:00 Sumit Bose <[email protected]>:

> On Fri, Oct 20, 2017 at 01:59:00PM +0200, Winberg, Adam wrote:
> > I'm running tests with using sssd for smartcard auth as an pam_pkcs11
> > replacement. I've gotten it to work, but am getting a _lot_ of selinux
> > denials.
> >
> > It seems that p11_child inherits the sssd selinux context and therefore
> > runs in the 'sssd_t' domain. This causes problems since p11_child seems
> to
> > want access to a whole lot of stuff. Some examples:
> >
> > SELinux is preventing /usr/libexec/sssd/p11_child from search access on
> the
> > directory fs.
> > SELinux is preventing /usr/libexec/sssd/p11_child from write access on
> the
> > directory /dev/hugepages.
> > SELinux is preventing /usr/libexec/sssd/p11_child from write access on
> the
> > directory /proc/fs/nfsd.
> > SELinux is preventing /usr/libexec/sssd/p11_child from write access on
> the
> > directory /boot.
> > SELinux is preventing /usr/libexec/sssd/p11_child from write access on
> the
> > directory /home.
> > SELinux is preventing /usr/libexec/sssd/p11_child from search access on
> the
> > directory /var/lib/nfs.
> > SELinux is preventing /usr/libexec/sssd/p11_child from write access on
> the
> > directory /.
> > SELinux is preventing /usr/libexec/sssd/p11_child from execute access on
> > the file /run/user/60483/ffiSOUzGu (deleted).
> > SELinux is preventing /usr/libexec/sssd/p11_child from write access on
> the
> > directory /sys/fs/fuse/connections.
> > SELinux is preventing /usr/libexec/sssd/p11_child from write access on
> the
> > directory /dev.
> > SELinux is preventing /usr/libexec/sssd/p11_child from execute access on
> > the file /dev/shm/ffi8thWCx (deleted).
> > SELinux is preventing /usr/libexec/sssd/p11_child from execute access on
> > the file /run/ffi24njzA (deleted).
> > SELinux is preventing /usr/libexec/sssd/p11_child from write access on
> the
> > directory /sys/kernel/config.
> > SELinux is preventing /usr/libexec/sssd/p11_child from write access on
> the
> > directory /sys/fs/selinux.
>
> The p11_child code itself does not try to open anything it completely
> depends on NSS to access the Smartcard. From you previous question it
> looks like you have added the p11-kit modules to /etc/pki/nssdb. I would
> expect that this is trying to access the file system.
>
>
> HTH
>
> bye,
> Sumit
>
> >
> >
> > An Sealert output:
> >
> > SELinux is preventing /usr/libexec/sssd/p11_child from search access on
> the
> > directory .config.
> >
> > *****  Plugin catchall (100. confidence) suggests
> >  **************************
> >
> > If you believe that p11_child should be allowed search access on the
> > .config directory by default.
> > Then you should report this as a bug.
> > You can generate a local policy module to allow this access.
> > Do
> > allow this access for now by executing:
> > # ausearch -c 'p11_child' --raw | audit2allow -M my-p11child
> > # semodule -i my-p11child.pp
> >
> >
> > Additional Information:
> > Source Context                system_u:system_r:sssd_t:s0
> > Target Context                unconfined_u:object_r:config_home_t:s0
> > Target Objects                .config [ dir ]
> > Source                        p11_child
> > Source Path                   /usr/libexec/sssd/p11_child
> > Port                          <Unknown>
> > Host                          c21226.ad.smhi.se
> > Source RPM Packages           sssd-krb5-common-1.15.2-50.el7_4.6.x86_64
> > Target RPM Packages
> > Policy RPM                    selinux-policy-3.13.1-166.el7_4.5.noarch
> > Selinux Enabled               True
> > Policy Type                   targeted
> > Enforcing Mode                Enforcing
> > Host Name                     c21226.ad.smhi.se
> > Platform                      Linux c21226.ad.smhi.se
> > 3.10.0-693.5.2.el7.x86_64
> >                               #1 SMP Fri Oct 13 10:46:25 EDT 2017 x86_64
> > x86_64
> > Alert Count                   29
> > First Seen                    2017-10-20 08:14:10 CEST
> > Last Seen                     2017-10-20 13:21:38 CEST
> > Local ID                      17d70bbe-a54d-47c3-8515-985d6646a93f
> >
> > Raw Audit Messages
> > type=AVC msg=audit(1508498498.877:13286): avc:  denied  { search } for
> > pid=29036 comm="krb5_child" name=".config" dev="sda2" ino=16782181
> > scontext=system_u:system_r:sssd_t:s0
> > tcontext=unconfined_u:object_r:config_home_t:s0 tclass=dir
> >
> >
> > type=SYSCALL msg=audit(1508498498.877:13286): arch=x86_64 syscall=openat
> > success=no exit=EACCES a0=ffffffffffffff9c a1=56536c43c350 a2=90800 a3=0
> > items=0 ppid=20098 pid=29036 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=krb5_child
> > exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0
> key=(null)
> >
> > Hash: p11_child,sssd_t,config_home_t,dir,search
> >
> >
> >
> > Whats with all the acceses, is that normal? And if so, how's that suppose
> > to work while running in the 'sssd_t' context?
> >
> >
> > Regards
> > Adam
>
> > _______________________________________________
> > sssd-users mailing list -- [email protected]
> > To unsubscribe send an email to [email protected]
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
>
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to