On (19/03/22 13:26), Brian J. Murrell wrote:
On Wed, 2022-03-16 at 14:47 +0100, Lukas Slebodnik wrote:
Could you share ful reposort fom audit ? e.g. ausearch -m AVC
There are lots. One such example, and the first one of a series:
type=PROCTITLE msg=audit(1647710324.067:172072): proctitle=7368002D63002F686F6D652F6D6F74696F6E2F6D6F7669655F656E642032002026 type=SYSCALL msg=audit(1647710324.067:172072): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5573bf195680 a2=80000 a3=0 items=0 ppid=967054 pid=3299344 auid=4294967295 uid=982 gid=39 euid=982 suid=982 fsuid=982 egid=39 sgid=39 fsgid=39 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:motion_t:s0 key=(null) type=AVC msg=audit(1647710324.067:172072): avc: denied { search } for pid=3299344 comm="sh" name="sss" dev="dm-8" ino=210 scontext=system_u:system_r:motion_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
Looks like there is not any issue with SELinux labeling for sssd but issue is that motion(scontext=system_u:system_r:motion_t:s0) is not allowed to communicate with sssd.
Looks like it tries to use nsswitch which hits sssd due to `sss` as 1st one in /etc/passwd.
IIRC it should be allowed by default with macros `auth_read_passwd` or `auth_use_nsswitch` in recent version of fedora. I am not sure about el8.
I would recommend to file a bug to selinux-policy.
BTW changing order of modules in /etc/passwd `sss files` -> `files sss` might avoid issues with AVCs.
HTH
LS