Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1298607 - httpd_dbus_sssd no longer enables D-Bus communication between Apache and SSSD
Summary: httpd_dbus_sssd no longer enables D-Bus communication between Apache and SSSD
Keywords:
Status: CLOSED DUPLICATE of bug 1298192
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 23
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-14 14:45 UTC by Jan Pazdziora
Modified: 2016-01-15 14:37 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-15 14:37:25 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Jan Pazdziora 2016-01-14 14:45:19 UTC 
Description of problem:

Up until recently, SELinux boolean httpd_dbus_sssd enabled Apache (httpd_t) dbus send_msg SSSD (sssd_t). Now it leads to org.freedesktop.DBus.Error.AccessDenied and USER_AVC being logged.

Version-Release number of selected component (if applicable):

dbus-1.10.6-1.fc23.x86_64
kernel-4.3.3-300.fc23.x86_64
selinux-policy-targeted-3.13.1-158.fc23.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. Configure SSSD (presumably IPA-enrolled) with ifp (D-Bus), start it.
2. Attempt to run dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:bob31482 array:string:gecos,mail as type httpd_t (since that's what mod_lookup_identity will do)

Actual results:

Error org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.74" (uid=0 pid=21742 comm="dbus-send --print-reply --system --dest=org.freede") interface="org.freedesktop.sssd.infopipe" member="GetUserAttr" error name="(unset)" requested_reply="0" destination="org.freedesktop.sssd.infopipe" (uid=0 pid=15495 comm="/usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --debug")

and

type=USER_AVC msg=audit(1452777868.145:657): pid=685 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.sssd.infopipe member=GetUserAttr dest=org.freedesktop.sssd.infopipe spid=21742 tpid=15495 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

in /var/log/audit/audit.log.

Expected results:

method return time=1452777855.573643 sender=:1.45 -> destination=:1.73 serial=5 reply_serial=2
   array [
      dict entry(
         string "gecos"
         variant             array [
               string "Robert Chase"
            ]
      )
      dict entry(
         string "mail"
         variant             array [
               string "bob31482"
            ]
      )
   ]

Additional info:

# sesearch -C --allow -s httpd_t -t sssd_tFound 7 semantic av rules:
   allow nsswitch_domain sssd_t : unix_stream_socket connectto ; 
   allow nsswitch_domain sssd_t : key { view read write search link setattr create } ; 
   allow domain domain : key { search link } ; 
ET allow httpd_t sssd_t : dbus send_msg ; [ httpd_dbus_sssd ]
DT allow httpd_t domain : process getpgid ; [ httpd_run_stickshift ]
ET allow domain domain : fd use ; [ domain_fd_use ]
DT allow daemon daemon : unix_stream_socket connectto ; [ daemons_enable_cluster_mode ]

which is exactly the same as on Fedora 22 with selinux-policy-3.13.1-128.21.fc22.noarch.
Comment 2 Miroslav Grepl 2016-01-15 09:59:16 UTC 
Ok it looks something is wrong with the policy.

Could you try to run

# semodule -B

to see if you get errors or if it helps you.
Comment 3 Jan Pazdziora 2016-01-15 10:05:49 UTC 
(In reply to Miroslav Grepl from comment #2)
> Ok it looks something is wrong with the policy.
> 
> Could you try to run
> 
> # semodule -B
> 
> to see if you get errors or if it helps you.

# semodule -B
# echo $?
0

and I still get the same error when I try to run dbus-send.
Comment 4 Miroslav Grepl 2016-01-15 14:37:25 UTC 

*** This bug has been marked as a duplicate of bug 1298192 ***
Note You need to log in before you can comment on or make changes to this bug.