On (19/03/22 13:26), Brian J. Murrell wrote:
>On Wed, 2022-03-16 at 14:47 +0100, Lukas Slebodnik wrote:
>>
>> Could you share ful reposort fom audit ?
>> e.g. ausearch -m AVC
>
>There are lots. One such example, and the first one of a series:
>
>type=PROCTITLE msg=audit(1647710324.067:172072):
>proctitle=7368002D63002F686F6D652F6D6F74696F6E2F6D6F7669655F656E642032002026
>type=SYSCALL msg=audit(1647710324.067:172072): arch=c000003e syscall=257
>success=no exit=-13 a0=ffffff9c a1=5573bf195680 a2=80000 a3=0 items=0
>ppid=967054 pid=3299344 auid=4294967295 uid=982 gid=39 euid=982 suid=982
>fsuid=982 egid=39 sgid=39 fsgid=39 tty=(none) ses=4294967295 comm="sh"
>exe="/usr/bin/bash" subj=system_u:system_r:motion_t:s0 key=(null)
>type=AVC msg=audit(1647710324.067:172072): avc: denied { search } for
>pid=3299344 comm="sh" name="sss" dev="dm-8" ino=210
>scontext=system_u:system_r:motion_t:s0
>tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
>
Looks like there is not any issue with SELinux labeling for sssd but issue is
that motion(scontext=system_u:system_r:motion_t:s0) is not allowed to
communicate with sssd.
Looks like it tries to use nsswitch which hits sssd due to `sss` as 1st one in
/etc/passwd.
IIRC it should be allowed by default with macros `auth_read_passwd` or
`auth_use_nsswitch` in recent version of fedora. I am not sure about el8.
I would recommend to file a bug to selinux-policy.
BTW changing order of modules in /etc/passwd `sss files` -> `files sss`
might avoid issues with AVCs.
HTH
LS
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
