various programs communicating with SSSD

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,

I would like to ask for help to identify services / daemons / agents which communicate with SSSD. It seems that selinux-policy does not expect such a behavior in many cases. The idea struck me when Kyle Brantley filed following bug:
 * BZ#1147787 - zebra won't start when sssd is used due to selinux policy

As you can see the problem is not limited to RHEL-7 only:
 * BZ#1148572 - SELinux prevents zebra from communicating with sssd

Are there other services which would communicate with SSSD if SSSD was enabled ?

# grep sss /etc/nsswitch.conf
passwd:     sss files
shadow:     sss files
group:      sss files
#

Let's skip those SELinux domains which are already allowed to communicate with SSSD. Following script helped me to narrow the set of possible candidates:

for SCONTEXT in `seinfo -adomain -x | grep -v domain | sort` ; do
    COUNT=0
    sesearch -s $SCONTEXT -t sssd_var_lib_t -c sock_file -p write -A -C | grep -q allow && let "COUNT += 1"
    sesearch -s $SCONTEXT -t sssd_var_lib_t -c dir -p search -A -C | grep -q allow && let "COUNT += 1"
    sesearch -s $SCONTEXT -t sssd_t -c unix_stream_socket -p connectto -A -C | grep -q allow && let "COUNT += 1"
    sesearch -s $SCONTEXT -t sssd_public_t -c file -p read -A -C | grep -q allow && let "COUNT += 1"
    sesearch -s $SCONTEXT -t sssd_public_t -c dir -p search -A -C | grep -q allow && let "COUNT += 1"
    echo "$SCONTEXT: $COUNT"
done | grep -v ": 5"

The fact that selinux-policy does not contain appropriate allow rules for domain X does not mean that domain X does not want to communicate with SSSD. It's likely that nobody tried that scenario with enabled SELinux before.

So far I was able to reproduce AVCs in scenarios (on RHEL-7.0) when following domains communicated with SSSD:
 * openct_t
 * postgrey_t
 * drbd_t
 * sblim_gatherd_t
 * rhsmcertd_t
 * pkcsslotd_t
 * openvswitch_t
 * opensm_t
 * ddclient_t
 * mysqld_safe_t
 * conman_t
 * dnssec_trigger_t
 * ctdbd_t
 * nova_scheduler_t
 * nova_api_t
 * nova_network_t
 * nova_vncproxy_t
 * speech-dispatcher_t

I hope this email will help me create a list of domains, which suffer from similar SELinux denials, and start a discussion about possible ways how is (could be) SSSD used in SELinux enabled environments.

Milos Malik
SELinux QE person
Red Hat
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux