Re: [CentOS] selinux prohibiting sssd usage
On Thu, 11 Aug 2011, Michael Gliwinski wrote: > On Wednesday 10 Aug 2011 18:59:14 Paul Heinlein wrote: >> Oddly, when using sssd+ldap, getent without a specific key won't >> return ldap account information, but with a key it will. That is, >> "getent passwd" will return only accounts in the local /etc/passwd >> database, but "getent passwd bob" will return ldap-supplied >> information about user bo > > That is normal unless you have 'enumerate = true' for the LDAP domain in SSSD > config file. Note that SSSD manual warns that this may be slow for large > installations (personally I haven't had a problem with it yet but only have < > 200 posix users). I can confirm that With tens of thousands it's cripplingly slow. jh ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux prohibiting sssd usage
On Wednesday 10 Aug 2011 18:59:14 Paul Heinlein wrote: > Oddly, when using sssd+ldap, getent without a specific key won't > return ldap account information, but with a key it will. That is, > "getent passwd" will return only accounts in the local /etc/passwd > database, but "getent passwd bob" will return ldap-supplied > information about user bo That is normal unless you have 'enumerate = true' for the LDAP domain in SSSD config file. Note that SSSD manual warns that this may be slow for large installations (personally I haven't had a problem with it yet but only have < 200 posix users). -- Michael Gliwinski Henderson Group Information Services 9-11 Hightown Avenue, Newtownabby, BT36 4RT Phone: 028 9034 3319 ** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee and access to the email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients, any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the governing client engagement leter or contract. If you have received this email in error please notify supp...@henderson-group.com John Henderson (Holdings) Ltd Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern Ireland, BT36 4RT. Registered in Northern Ireland Registration Number NI010588 Vat No.: 814 6399 12 * ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux prohibiting sssd usage
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/10/2011 02:24 PM, Paul Heinlein wrote: > On Wed, 10 Aug 2011, Daniel J Walsh wrote: > >> I am adding the allow rule to allow http_git_script_t to resolve >> usernames to Fedora and Rhel policies. > > Thanks, Dan! I'm a big fan of the work you've done integrating RHEL > and SELinux, and improving SELinux in general. > > Do you have a diff or policy fragment I can use until your changes > appear in CentOS? > auth_use_nsswitch(http_git_script_t) Is what I am adding to 6.2 policy. This will show up in selinux-policy-3.7.19-107.el6 when we build it later this week. You can always grab the latest policy for the upcoming release at http://people.redhat.com/dwalsh/SELinux/RHEL6 selinux-policy-3.7.19-106.el6 is out there now. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5C5jwACgkQrlYvE4MpobNxkgCgmhSpiK2WxGN9df4YgK3xscxE HtsAoMXyMm4iZYRcHqiEWb7HzMWKy90d =mPtD -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux prohibiting sssd usage
On Wed, 10 Aug 2011, Daniel J Walsh wrote: > I am adding the allow rule to allow http_git_script_t to resolve > usernames to Fedora and Rhel policies. Thanks, Dan! I'm a big fan of the work you've done integrating RHEL and SELinux, and improving SELinux in general. Do you have a diff or policy fragment I can use until your changes appear in CentOS? -- Paul Heinlein <> heinl...@madboa.com <> http://www.madboa.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux prohibiting sssd usage
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/10/2011 01:59 PM, Paul Heinlein wrote: > On Wed, 10 Aug 2011, david wrote: > >> At 09:32 AM 8/10/2011, you wrote: >>> Part of the environment is gitweb, which works as expected with >>> one glitch: SELinux doesn't allow gitweb.cgi to query sssd to >>> display who owns the repositories. [] >> >> Paul >> >> I've just spent three days trying to figure out why SSH worked >> sometimes, sometimes not. Just minutes before your note arrived, I >> figured I had to disable SELINUX, and now it works just fine. >> Your note confirmed that there's a link there. > > I haven't had any trouble with ssh. I'll note that the system in > question gets user account information from ldap. > > Oddly, when using sssd+ldap, getent without a specific key won't > return ldap account information, but with a key it will. That is, > "getent passwd" will return only accounts in the local /etc/passwd > database, but "getent passwd bob" will return ldap-supplied > information about user bob. > I am adding the allow rule to allow http_git_script_t to resolve usernames to Fedora and Rhel policies. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5CyoYACgkQrlYvE4MpobMtJACfdV+snqKEs+kM3PaK1JLssEFv C0UAoJrBvbuUNgDC6qdx+pbQOTtMDTqx =77oc -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux prohibiting sssd usage
On Wed, 10 Aug 2011, david wrote: > At 09:32 AM 8/10/2011, you wrote: >> Part of the environment is gitweb, which works as expected with one >> glitch: SELinux doesn't allow gitweb.cgi to query sssd to display >> who owns the repositories. [] > > Paul > > I've just spent three days trying to figure out why SSH worked > sometimes, sometimes not. Just minutes before your note arrived, I > figured I had to disable SELINUX, and now it works just fine. Your > note confirmed that there's a link there. I haven't had any trouble with ssh. I'll note that the system in question gets user account information from ldap. Oddly, when using sssd+ldap, getent without a specific key won't return ldap account information, but with a key it will. That is, "getent passwd" will return only accounts in the local /etc/passwd database, but "getent passwd bob" will return ldap-supplied information about user bob. -- Paul Heinlein <> heinl...@madboa.com <> http://www.madboa.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux prohibiting sssd usage
On Wed, 10 Aug 2011, Adam Wead wrote: > I can't think of any booleans off-hand, but you might try moving the > location of the gitweb.cgi to a folder where SELinux expects cgi > executables to be, such as /var/www. Then if you relabel, it might > put it in the correct security context to fix the error. This is > how I solve about 90% of my SELinux problems... just moving the > files to the right location. There's a whole httpd_git_* slew of labels in CentOS 6 -- and I'm using the stock gitweb RPM -- so I'd rather fix it as-is so package updates have fewer special instructions down the road. > Systems and Digital Collections Librarian > Rock and Roll Hall of Fame and Museum Hands-down, the coolest job title I've seen on the centos mailing list! -- Paul Heinlein <> heinl...@madboa.com <> http://www.madboa.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux prohibiting sssd usage
At 09:32 AM 8/10/2011, you wrote: >I've got a CentOS 6 machine that's slated to go into production >providing some web and development-repository services. > >Part of the environment is gitweb, which works as expected with one >glitch: SELinux doesn't allow gitweb.cgi to query sssd to display who >owns the repositories. > >The audit log entries are pretty straightforward, e.g., > >type=AVC msg=audit(): avc: denied { search } for >pid= comm="gitweb.cgi" name="sss" dev=XXX ino=XXX >scontext=unconfined_u:system_r:httpd_git_script_t:s0 >tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir > >I'll use audit2allow to build a custom policy if need be, but what I'd >really like to hear is that there's an SELinux boolean that can be >tweaked or a file context that can be altered to make things work as >expected. > >-- >Paul Heinlein <> heinl...@madboa.com <> http://www.madboa.com/ >_ Paul I've just spent three days trying to figure out why SSH worked sometimes, sometimes not. Just minutes before your note arrived, I figured I had to disable SELINUX, and now it works just fine. Your note confirmed that there's a link there. David Kurn ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux prohibiting sssd usage
I can't think of any booleans off-hand, but you might try moving the location of the gitweb.cgi to a folder where SELinux expects cgi executables to be, such as /var/www. Then if you relabel, it might put it in the correct security context to fix the error. This is how I solve about 90% of my SELinux problems... just moving the files to the right location. Adam Wead Systems and Digital Collections Librarian Rock and Roll Hall of Fame and Museum 216.515.1960 (t) 215.515.1964 (f) On Wed, Aug 10, 2011 at 12:32 PM, Paul Heinlein wrote: > I've got a CentOS 6 machine that's slated to go into production > providing some web and development-repository services. > > Part of the environment is gitweb, which works as expected with one > glitch: SELinux doesn't allow gitweb.cgi to query sssd to display who > owns the repositories. > > The audit log entries are pretty straightforward, e.g., > > type=AVC msg=audit(): avc: denied { search } for > pid= comm="gitweb.cgi" name="sss" dev=XXX ino=XXX > scontext=unconfined_u:system_r:httpd_git_script_t:s0 > tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir > > I'll use audit2allow to build a custom policy if need be, but what I'd > really like to hear is that there's an SELinux boolean that can be > tweaked or a file context that can be altered to make things work as > expected. > > -- > Paul Heinlein <> heinl...@madboa.com <> http://www.madboa.com/ > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] selinux prohibiting sssd usage
I've got a CentOS 6 machine that's slated to go into production providing some web and development-repository services. Part of the environment is gitweb, which works as expected with one glitch: SELinux doesn't allow gitweb.cgi to query sssd to display who owns the repositories. The audit log entries are pretty straightforward, e.g., type=AVC msg=audit(): avc: denied { search } for pid= comm="gitweb.cgi" name="sss" dev=XXX ino=XXX scontext=unconfined_u:system_r:httpd_git_script_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir I'll use audit2allow to build a custom policy if need be, but what I'd really like to hear is that there's an SELinux boolean that can be tweaked or a file context that can be altered to make things work as expected. -- Paul Heinlein <> heinl...@madboa.com <> http://www.madboa.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos