Hi Stephen,
On Thu, Jan 3, 2013 at 2:41 PM, Stephen Gallagher <sgallagh(a)redhat.com>wrote:
On Thu 03 Jan 2013 08:29:45 AM EST, Marco Pizzoli wrote:
> Hi guys,
> I'm having a problem with SELinux on my RHEL6.3 box with SSSD. I write
> it here cause I imagine you are the best to understand where the
> problem is :-)
> Scenario:
> OpenLDAP server -> Pass-Through Authentication by using CyrusSASL
> configured to leverage PAM -> PAM configured to leverage SSSD
> Problem: in Enforcing mode I cannot get authentication, in Permissive
> mode yes.
> The error I'm facing in my /var/log/audit/audit.log is:
> type=AVC msg=audit(1357215410.532:**82682): avc: denied { connectto }
> for pid=11638 comm="saslauthd"
path="/var/lib/sss/pipes/**private/pam"
> scontext=unconfined_u:system_**r:saslauthd_t:s0
> tcontext=unconfined_u:**unconfined_r:unconfined_t:s0-**s0:c0.c1023
> tclass=unix_stream_socket
> type=SYSCALL msg=audit(1357215410.532:**82682): arch=c000003e syscall=42
> success=no exit=-13 a0=8 a1=7fff7c1c7440 a2=6e a3=0 items=0 ppid=11635
> pid=11638 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=5055 comm="saslauthd"
exe="/usr/sbin/saslauthd"
> subj=unconfined_u:system_r:**saslauthd_t:s0 key=(null)
> type=USER_AUTH msg=audit(1357215410.532:**82683): user pid=11638 uid=0
> auid=0 ses=5055 subj=unconfined_u:system_r:**saslauthd_t:s0
> msg='op=PAM:authentication acct="pippo"
exe="/usr/sbin/saslauthd"
> hostname=? addr=? terminal=? res=failed'
> Do you think it's a bug with the selinux-policy distributed with RHEL6.3?
> Is there any sebool I have to toggle to being able to make saslauthd
> connect to the sssd-pam socket?
> Thanks in advance as usual!
> Marco
>
>
Marco, are you using the version of SSSD that shipped with RHEL 6.3?
Yes, I am.
If so, please file this as an issue at
access.redhat.com and it will
get
fixed in the SELinux policy.
Ok, I just checked this with you first.
If you're using a custom newer version of SSSD, then you will
probably
need to manually add SELinux rules. In that case, you should probably also
open an issue at
access.redhat.com as they will be able to help you
figure out what needs to change in the policy.
Also, it might not hurt to try out the SELinux policy from the RHEL 6.4
beta in case that fixes it for you.
I'm going to check with my line if we can proceed this way. In case, I'll
let you know.
Thanks for your prompt response.
Marco
______________________________**_________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.**org <sssd-users(a)lists.fedorahosted.org>
https://lists.fedorahosted.**org/mailman/listinfo/sssd-**users<https:/...