I am getting some SELinux AVC alerts for a given process in a given domain that seems to want to be able to read files in /var/lib/sss/.

strace(1)ing the (unprivileged) process it seem to want to do the following:

4024612 openat(AT_FDCWD, "/var/lib/sss/mc/passwd", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)

and

4024612 connect(3, {sa_family=AF_UNIX, sun_path="/var/lib/sss/pipes/nss"}, 110) = -1 EACCES (Permission denied)

in /var/lib/sss/ which as you can see SELinux is currently denying.  But nothing about the running of the process seems to be a-miss despite these EPERMs

Ultimately I am just trying to gauge the potential issues with following the least-privilege principle and setting these to ignore rather than allow.  I.e. what might not be functioning correctly (even though they appear to be from all outward appearances) if these EPERMs continue instead of being allowed.

Any ideas why this process would be wanting to access those paths and why and what the problem might be with denying it?

Cheers,
b.
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure