View Issue Details

IDProjectCategoryView StatusLast Update
0016374CentOS-7selinux-policypublic2019-09-02 04:52
Reporterzmyrgel 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version7.6.1810 
Target VersionFixed in Version 
Summary0016374: SELinux is preventing aide from write access on the sock_file /var/lib/sss/pipes/nss.
DescriptionSelinux is preventing aide from accessing sssd socket. I guess its tries to look up user/group info for centrally managed users.
I have the server as a member of AD domain with SSSD so I guess when it reads up AD user info the selinux is preventing it.

I think the selinux should allow aide to access to SSSD socket to be able to do its job.
Steps To ReproduceJoin server to AD domain with SSSD, have files owned by AD users and run aide.
Additional InformationFull sealert:

SELinux is preventing aide from write access on the sock_file /var/lib/sss/pipes/nss.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that aide should be allowed write access on the nss sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'aide' --raw | audit2allow -M my-aide
# semodule -i my-aide.pp


Additional Information:
Source Context system_u:system_r:aide_t:s0-s0:c0.c1023
Target Context system_u:object_r:sssd_var_lib_t:s0
Target Objects /var/lib/sss/pipes/nss [ sock_file ]
Source aide
Source Path aide
Port <Unknown>
Host pluto.ad.domain.fi
Source RPM Packages aide-0.15.1-13.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.12.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name pluto.ad.domain.fi
Platform Linux pluto.ad.domain.fi
                              3.10.0-957.21.2.el7.x86_64 #1 SMP Wed Jun 5
                              14:26:44 UTC 2019 x86_64 x86_64
Alert Count 556159
First Seen 2018-04-21 04:27:49 EEST
Last Seen 2019-09-02 04:14:40 EEST
Local ID 35fe42f9-0211-41a2-9de0-640e3ff3be99

Raw Audit Messages
type=AVC msg=audit(1567386880.67:2586516): avc: denied { write } for pid=16690 comm="aide" name="nss" dev="dm-3" ino=6291591 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=0


type=SYSCALL msg=audit(1567386880.67:2586516): arch=x86_64 syscall=connect success=no exit=EACCES a0=8 a1=7ffe222248a0 a2=6e a3=5d303785 items=1 ppid=16688 pid=16690 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=57828 comm=aide exe=/usr/sbin/aide subj=system_u:system_r:aide_t:s0-s0:c0.c1023 key=(null)

Hash: aide,aide_t,sssd_var_lib_t,sock_file,write
TagsNo tags attached.
abrt_hash
URL

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2019-09-02 04:52 zmyrgel New Issue