I am getting some SELinux AVC alerts for a given process in a given domain that
seems to want to be able to read files in /var/lib/sss/.
strace(1)ing the (unprivileged) process it seem to want to do the following:
4024612 openat(AT_FDCWD, "/var/lib/sss/mc/passwd", O_RDONLY|O_CLOEXEC) = -1
EACCES (Permission denied)
and
4024612 connect(3, {sa_family=AF_UNIX, sun_path="/var/lib/sss/pipes/nss"}, 110)
= -1 EACCES (Permission denied)
in /var/lib/sss/ which as you can see SELinux is currently denying. But
nothing about the running of the process seems to be a-miss despite these EPERMs
Ultimately I am just trying to gauge the potential issues with following the
least-privilege principle and setting these to ignore rather than allow. I.e.
what might not be functioning correctly (even though they appear to be from all
outward appearances) if these EPERMs continue instead of being allowed.
Any ideas why this process would be wanting to access those paths and why and
what the problem might be with denying it?
Cheers,
b.
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
