Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1298607

Summary: httpd_dbus_sssd no longer enables D-Bus communication between Apache and SSSD
Product: [Fedora] Fedora Reporter: Jan Pazdziora <jpazdziora>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: high    
Version: 23CC: dwalsh, jpazdziora
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-15 14:37:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pazdziora 2016-01-14 14:45:19 UTC 
Description of problem:

Up until recently, SELinux boolean httpd_dbus_sssd enabled Apache (httpd_t) dbus send_msg SSSD (sssd_t). Now it leads to org.freedesktop.DBus.Error.AccessDenied and USER_AVC being logged.

Version-Release number of selected component (if applicable):

dbus-1.10.6-1.fc23.x86_64
kernel-4.3.3-300.fc23.x86_64
selinux-policy-targeted-3.13.1-158.fc23.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. Configure SSSD (presumably IPA-enrolled) with ifp (D-Bus), start it.
2. Attempt to run dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:bob31482 array:string:gecos,mail as type httpd_t (since that's what mod_lookup_identity will do)

Actual results:

Error org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.74" (uid=0 pid=21742 comm="dbus-send --print-reply --system --dest=org.freede") interface="org.freedesktop.sssd.infopipe" member="GetUserAttr" error name="(unset)" requested_reply="0" destination="org.freedesktop.sssd.infopipe" (uid=0 pid=15495 comm="/usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --debug")

and

type=USER_AVC msg=audit(1452777868.145:657): pid=685 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.sssd.infopipe member=GetUserAttr dest=org.freedesktop.sssd.infopipe spid=21742 tpid=15495 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

in /var/log/audit/audit.log.

Expected results:

method return time=1452777855.573643 sender=:1.45 -> destination=:1.73 serial=5 reply_serial=2
   array [
      dict entry(
         string "gecos"
         variant             array [
               string "Robert Chase"
            ]
      )
      dict entry(
         string "mail"
         variant             array [
               string "bob31482"
            ]
      )
   ]

Additional info:

# sesearch -C --allow -s httpd_t -t sssd_tFound 7 semantic av rules:
   allow nsswitch_domain sssd_t : unix_stream_socket connectto ; 
   allow nsswitch_domain sssd_t : key { view read write search link setattr create } ; 
   allow domain domain : key { search link } ; 
ET allow httpd_t sssd_t : dbus send_msg ; [ httpd_dbus_sssd ]
DT allow httpd_t domain : process getpgid ; [ httpd_run_stickshift ]
ET allow domain domain : fd use ; [ domain_fd_use ]
DT allow daemon daemon : unix_stream_socket connectto ; [ daemons_enable_cluster_mode ]

which is exactly the same as on Fedora 22 with selinux-policy-3.13.1-128.21.fc22.noarch.
Comment 2 Miroslav Grepl 2016-01-15 09:59:16 UTC 
Ok it looks something is wrong with the policy.

Could you try to run

# semodule -B

to see if you get errors or if it helps you.
Comment 3 Jan Pazdziora 2016-01-15 10:05:49 UTC 
(In reply to Miroslav Grepl from comment #2)
> Ok it looks something is wrong with the policy.
> 
> Could you try to run
> 
> # semodule -B
> 
> to see if you get errors or if it helps you.

# semodule -B
# echo $?
0

and I still get the same error when I try to run dbus-send.
Comment 4 Miroslav Grepl 2016-01-15 14:37:25 UTC 

*** This bug has been marked as a duplicate of bug 1298192 ***