Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SELinux policy does not allow /etc/sssd/pki/sssd_auth_ca_db.pem to be a symlink #6611

Closed
frasertweedale opened this issue Mar 8, 2023 · 3 comments · Fixed by fedora-selinux/selinux-policy#1874
Closed

SELinux policy does not allow /etc/sssd/pki/sssd_auth_ca_db.pem to be a symlink #6611

frasertweedale opened this issue Mar 8, 2023 · 3 comments · Fixed by fedora-selinux/selinux-policy#1874
Labels
Needs triage

Comments

@frasertweedale
Copy link

For smart card login in FreeIPA context, it can make sense to symlink sssd_auth_ca_db.pem to
/etc/ipa/ca.crt so that cert renewals are automatically picked up, with no administrative overhead.
However, the SELinux enforcement prevents this file from being read:

type=AVC msg=audit(1678254063.644:318): avc:  denied  { read } for  pid=1722
  comm="p11_child" name="sssd_auth_ca_db.pem" dev="dm-0" ino=19095552
  scontext=system_u:system_r:sssd_t:s0
  tcontext=unconfined_u:object_r:sssd_conf_t:s0
  tclass=lnk_file permissive=0

This was after a restorecon -R of the /etc/sssd directory.
@pbrezina
Copy link
Member

I pinged Zdeněk to take a look, but this needs to be reported against selinux-policy, since we do not have our own policy package.

zpytela added a commit to zpytela/selinux-policy that referenced this issue Sep 26, 2023
@zpytela
Allow sssd read symlinks in /etc/sssd
074bdd1 
Previously, sssd was allowed to read only plain configuration files in
/etc/sssd. Since this commit it is allowed to read symlinks, too, which
supports a scenario where sssd_auth_ca_db.pem points to /etc/ipa/ca.crt
so that cert renewals are automatically picked up, with no
administrative overhead.

Resolves: SSSD/sssd#6611
@zpytela zpytela mentioned this issue Sep 26, 2023
Merged
@zpytela
Copy link

zpytela commented Sep 26, 2023

I've just submitted a pr to address this issue:
fedora-selinux/selinux-policy#1874

If also needed in RHEL, please file a jira.

@pbrezina
Copy link
Member

Thank you Zdeněk. @frasertweedale please report it as required against selinux-policy.

zpytela added a commit to zpytela/selinux-policy that referenced this issue Sep 27, 2023
@zpytela
Allow sssd read symlinks in /etc/sssd
88f1719 
Previously, sssd was allowed to read only plain configuration files in
/etc/sssd. Since this commit it is allowed to read symlinks, too, which
supports a scenario where sssd_auth_ca_db.pem points to /etc/ipa/ca.crt
so that cert renewals are automatically picked up, with no
administrative overhead.

Resolves: SSSD/sssd#6611
zpytela added a commit to fedora-selinux/selinux-policy that referenced this issue Sep 29, 2023
@zpytela
Allow sssd read symlinks in /etc/sssd
c0ce82d 
Previously, sssd was allowed to read only plain configuration files in
/etc/sssd. Since this commit it is allowed to read symlinks, too, which
supports a scenario where sssd_auth_ca_db.pem points to /etc/ipa/ca.crt
so that cert renewals are automatically picked up, with no
administrative overhead.

Resolves: SSSD/sssd#6611
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow sssd read symlinks in /etc/sssd zpytela/selinux-policy
4 participants
@frasertweedale @zpytela @pbrezina @alexey-tikhonov