Hi Stephen,

On Thu, Jan 3, 2013 at 2:41 PM, Stephen Gallagher <sgallagh@redhat.com> wrote:
On Thu 03 Jan 2013 08:29:45 AM EST, Marco Pizzoli wrote:
Hi guys,
I'm having a problem with SELinux on my RHEL6.3 box with SSSD. I write
it here cause I imagine you are the best to understand where the
problem is :-)
Scenario:
OpenLDAP server -> Pass-Through  Authentication by using CyrusSASL
configured to leverage PAM -> PAM configured to leverage SSSD
Problem: in Enforcing mode I cannot get authentication, in Permissive
mode yes.
The error I'm facing in my /var/log/audit/audit.log is:
type=AVC msg=audit(1357215410.532:82682): avc:  denied  { connectto }
for  pid=11638 comm="saslauthd" path="/var/lib/sss/pipes/private/pam"
scontext=unconfined_u:system_r:saslauthd_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=unix_stream_socket
type=SYSCALL msg=audit(1357215410.532:82682): arch=c000003e syscall=42
success=no exit=-13 a0=8 a1=7fff7c1c7440 a2=6e a3=0 items=0 ppid=11635
pid=11638 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=5055 comm="saslauthd" exe="/usr/sbin/saslauthd"
subj=unconfined_u:system_r:saslauthd_t:s0 key=(null)
type=USER_AUTH msg=audit(1357215410.532:82683): user pid=11638 uid=0
auid=0 ses=5055 subj=unconfined_u:system_r:saslauthd_t:s0
msg='op=PAM:authentication acct="pippo" exe="/usr/sbin/saslauthd"
hostname=? addr=? terminal=? res=failed'
Do you think it's a bug with the selinux-policy distributed with RHEL6.3?
Is there any sebool I have to toggle to being able to make saslauthd
connect to the sssd-pam socket?
Thanks in advance as usual!
Marco


Marco, are you using the version of SSSD that shipped with RHEL 6.3?
 
Yes, I am.
 
If so, please file this as an issue at access.redhat.com and it will get fixed in the SELinux policy.
 
Ok, I just checked this with you first.
 
If you're using a custom newer version of SSSD, then you will probably need to manually add SELinux rules. In that case, you should probably also open an issue at access.redhat.com as they will be able to help you figure out what needs to change in the policy.

Also, it might not hurt to try out the SELinux policy from the RHEL 6.4 beta in case that fixes it for you.
 
I'm going to check with my line if we can proceed this way. In case, I'll let you know.
Thanks for your prompt response.
Marco
 
 
 
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users