Hi all,
I would like to ask for help to identify services / daemons / agents which communicate
with SSSD. It seems that selinux-policy does not expect such a behavior in many cases. The
idea struck me when Kyle Brantley filed following bug:
* BZ#1147787 - zebra won't start when sssd is used due to selinux policy
As you can see the problem is not limited to RHEL-7 only:
* BZ#1148572 - SELinux prevents zebra from communicating with sssd
Are there other services which would communicate with SSSD if SSSD was enabled ?
# grep sss /etc/nsswitch.conf
passwd: sss files
shadow: sss files
group: sss files
#
Let's skip those SELinux domains which are already allowed to communicate with SSSD.
Following script helped me to narrow the set of possible candidates:
for SCONTEXT in `seinfo -adomain -x | grep -v domain | sort` ; do
COUNT=0
sesearch -s $SCONTEXT -t sssd_var_lib_t -c sock_file -p write -A -C | grep -q allow
&& let "COUNT += 1"
sesearch -s $SCONTEXT -t sssd_var_lib_t -c dir -p search -A -C | grep -q allow
&& let "COUNT += 1"
sesearch -s $SCONTEXT -t sssd_t -c unix_stream_socket -p connectto -A -C | grep -q
allow && let "COUNT += 1"
sesearch -s $SCONTEXT -t sssd_public_t -c file -p read -A -C | grep -q allow
&& let "COUNT += 1"
sesearch -s $SCONTEXT -t sssd_public_t -c dir -p search -A -C | grep -q allow
&& let "COUNT += 1"
echo "$SCONTEXT: $COUNT"
done | grep -v ": 5"
The fact that selinux-policy does not contain appropriate allow rules for domain X does
not mean that domain X does not want to communicate with SSSD. It's likely that nobody
tried that scenario with enabled SELinux before.
So far I was able to reproduce AVCs in scenarios (on RHEL-7.0) when following domains
communicated with SSSD:
* openct_t
* postgrey_t
* drbd_t
* sblim_gatherd_t
* rhsmcertd_t
* pkcsslotd_t
* openvswitch_t
* opensm_t
* ddclient_t
* mysqld_safe_t
* conman_t
* dnssec_trigger_t
* ctdbd_t
* nova_scheduler_t
* nova_api_t
* nova_network_t
* nova_vncproxy_t
* speech-dispatcher_t
I hope this email will help me create a list of domains, which suffer from similar SELinux
denials, and start a discussion about possible ways how is (could be) SSSD used in SELinux
enabled environments.
Milos Malik
SELinux QE person
Red Hat