Hi, What OS are running on your system?
What is the output of `cat /etc/nsswitch.conf | grep passwd` on your system? Do you use SSSD on purpose? On Tue, Mar 15, 2022 at 7:45 PM Brian J. Murrell <[email protected]> wrote: > I am getting some SELinux AVC alerts for a given process in a given domain > that seems to want to be able to read files in /var/lib/sss/. > > strace(1)ing the (unprivileged) process it seem to want to do the > following: > > 4024612 openat(AT_FDCWD, "/var/lib/sss/mc/passwd", O_RDONLY|O_CLOEXEC) = > -1 EACCES (Permission denied) > > and > > 4024612 connect(3, {sa_family=AF_UNIX, sun_path="/var/lib/sss/pipes/nss"}, > 110) = -1 EACCES (Permission denied) > > in /var/lib/sss/ which as you can see SELinux is currently denying. But > nothing about the running of the process seems to be a-miss despite these > EPERMs > > Ultimately I am just trying to gauge the potential issues with following > the least-privilege principle and setting these to ignore rather than > allow. I.e. what might not be functioning correctly (even though they > appear to be from all outward appearances) if these EPERMs continue instead > of being allowed. > > Any ideas why this process would be wanting to access those paths and why > and what the problem might be with denying it? > > Cheers, > b. > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
