[SSSD-users] Re: p11_child selinux woes

Fri, 20 Oct 2017 07:27:00 -0700 

On Fri, Oct 20, 2017 at 01:59:00PM +0200, Winberg, Adam wrote:
> I'm running tests with using sssd for smartcard auth as an pam_pkcs11
> replacement. I've gotten it to work, but am getting a _lot_ of selinux
> denials.
> 
> It seems that p11_child inherits the sssd selinux context and therefore
> runs in the 'sssd_t' domain. This causes problems since p11_child seems to
> want access to a whole lot of stuff. Some examples:
> 
> SELinux is preventing /usr/libexec/sssd/p11_child from search access on the
> directory fs.
> SELinux is preventing /usr/libexec/sssd/p11_child from write access on the
> directory /dev/hugepages.
> SELinux is preventing /usr/libexec/sssd/p11_child from write access on the
> directory /proc/fs/nfsd.
> SELinux is preventing /usr/libexec/sssd/p11_child from write access on the
> directory /boot.
> SELinux is preventing /usr/libexec/sssd/p11_child from write access on the
> directory /home.
> SELinux is preventing /usr/libexec/sssd/p11_child from search access on the
> directory /var/lib/nfs.
> SELinux is preventing /usr/libexec/sssd/p11_child from write access on the
> directory /.
> SELinux is preventing /usr/libexec/sssd/p11_child from execute access on
> the file /run/user/60483/ffiSOUzGu (deleted).
> SELinux is preventing /usr/libexec/sssd/p11_child from write access on the
> directory /sys/fs/fuse/connections.
> SELinux is preventing /usr/libexec/sssd/p11_child from write access on the
> directory /dev.
> SELinux is preventing /usr/libexec/sssd/p11_child from execute access on
> the file /dev/shm/ffi8thWCx (deleted).
> SELinux is preventing /usr/libexec/sssd/p11_child from execute access on
> the file /run/ffi24njzA (deleted).
> SELinux is preventing /usr/libexec/sssd/p11_child from write access on the
> directory /sys/kernel/config.
> SELinux is preventing /usr/libexec/sssd/p11_child from write access on the
> directory /sys/fs/selinux.

The p11_child code itself does not try to open anything it completely
depends on NSS to access the Smartcard. From you previous question it
looks like you have added the p11-kit modules to /etc/pki/nssdb. I would
expect that this is trying to access the file system.


HTH

bye,
Sumit

> 
> 
> An Sealert output:
> 
> SELinux is preventing /usr/libexec/sssd/p11_child from search access on the
> directory .config.
> 
> *****  Plugin catchall (100. confidence) suggests
>  **************************
> 
> If you believe that p11_child should be allowed search access on the
> .config directory by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'p11_child' --raw | audit2allow -M my-p11child
> # semodule -i my-p11child.pp
> 
> 
> Additional Information:
> Source Context                system_u:system_r:sssd_t:s0
> Target Context                unconfined_u:object_r:config_home_t:s0
> Target Objects                .config [ dir ]
> Source                        p11_child
> Source Path                   /usr/libexec/sssd/p11_child
> Port                          <Unknown>
> Host                          c21226.ad.smhi.se
> Source RPM Packages           sssd-krb5-common-1.15.2-50.el7_4.6.x86_64
> Target RPM Packages
> Policy RPM                    selinux-policy-3.13.1-166.el7_4.5.noarch
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     c21226.ad.smhi.se
> Platform                      Linux c21226.ad.smhi.se
> 3.10.0-693.5.2.el7.x86_64
>                               #1 SMP Fri Oct 13 10:46:25 EDT 2017 x86_64
> x86_64
> Alert Count                   29
> First Seen                    2017-10-20 08:14:10 CEST
> Last Seen                     2017-10-20 13:21:38 CEST
> Local ID                      17d70bbe-a54d-47c3-8515-985d6646a93f
> 
> Raw Audit Messages
> type=AVC msg=audit(1508498498.877:13286): avc:  denied  { search } for
> pid=29036 comm="krb5_child" name=".config" dev="sda2" ino=16782181
> scontext=system_u:system_r:sssd_t:s0
> tcontext=unconfined_u:object_r:config_home_t:s0 tclass=dir
> 
> 
> type=SYSCALL msg=audit(1508498498.877:13286): arch=x86_64 syscall=openat
> success=no exit=EACCES a0=ffffffffffffff9c a1=56536c43c350 a2=90800 a3=0
> items=0 ppid=20098 pid=29036 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=krb5_child
> exe=/usr/libexec/sssd/krb5_child subj=system_u:system_r:sssd_t:s0 key=(null)
> 
> Hash: p11_child,sssd_t,config_home_t,dir,search
> 
> 
> 
> Whats with all the acceses, is that normal? And if so, how's that suppose
> to work while running in the 'sssd_t' context?
> 
> 
> Regards
> Adam

> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

Reply via email to