2181010 – SELinux is preventing sss_cache from 'read' accesses on the fifo_file fifo_file.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 2181010 - SELinux is preventing sss_cache from 'read' accesses on the fifo_file fifo_file.

Summary: SELinux is preventing sss_cache from 'read' accesses on the fifo_file fifo_file.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	38
Hardware:	x86_64
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:3e475a6e7bc9a55a9afe01adc0b...
Depends On:
Blocks:	2179591
TreeView+	depends on / blocked

Reported:	2023-03-22 20:38 UTC by Matt Fagnani
Modified:	2023-04-15 02:06 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-38.10-1.fc38
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-04-15 02:06:46 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: os_info (deleted) 2023-03-22 20:38 UTC, Matt Fagnani	no flags	Details
File: description (deleted) 2023-03-22 20:38 UTC, Matt Fagnani	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1628	0	None	open	Allow sssd read accountsd fifo files	2023-03-23 20:59:22 UTC

Description Matt Fagnani 2023-03-22 20:38:03 UTC

Description of problem:
I booted the Fedora 38 live image Fedora-KDE-Live-x86_64-38-20230322.n.0.iso in a GNOME Boxes QEMU/KVM VM in a Fedora 38 installation. I opened System Settings in Plasma 5.27.3 on Wayland in the VM. I selected Users in the System Settings menu. I created two new users of the standard account type with passwords. The journal showed denials of sss_cache reading a pipe or fifo_file from the pipefs device. 

I reproduced this problem in the Fedora 38 KDE Plasma installation in the same way. The journal showed the following at the time of the denials.

Mar 22 16:23:53 audit[8610]: USER_AUTH pid=8610 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_usertype,pam_localuser,pam_unix acct="matt" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Mar 22 16:23:53 audit[8610]: USER_ACCT pid=8610 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="matt" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Mar 22 16:23:53 polkitd[932]: Operator of unix-session:2 successfully authenticated as unix-user:matt to gain TEMPORARY authorization for action org.freedesktop.accounts.user-administration for system-bus-name::1.264 [/usr/bin/systemsettings] (owned by unix-user:matt)
Mar 22 16:23:53 accounts-daemon[864]: request by system-bus-name::1.264 [/usr/bin/systemsettings pid:8570 uid:1000]: create user 'user3'
Mar 22 16:23:53 useradd[8615]: new group: name=user3, GID=1002
Mar 22 16:23:53 useradd[8615]: new user: name=user3, UID=1002, GID=1002, home=/home/user3, shell=/bin/bash, from=none
Mar 22 16:23:53 accounts-daemon[8638]: [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb]
Mar 22 16:23:53 accounts-daemon[8638]: Could not open available domains
Mar 22 16:23:53 useradd[8615]: useradd: sss_cache exited with status 5
Mar 22 16:23:53 useradd[8615]: useradd: Failed to flush the sssd cache.
Mar 22 16:23:53 accounts-daemon[8641]: [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb]
Mar 22 16:23:53 accounts-daemon[8641]: Could not open available domains
Mar 22 16:23:53 useradd[8615]: useradd: sss_cache exited with status 5
Mar 22 16:23:53 useradd[8615]: useradd: Failed to flush the sssd cache.
Mar 22 16:23:53 accounts-daemon[864]: request by system-bus-name::1.264 [/usr/bin/systemsettings pid:8570 uid:1000]: set password and hint of user 'user3' (1002)
Mar 22 16:23:53 audit[8649]: AVC avc:  denied  { read } for  pid=8649 comm="sss_cache" path="pipe:[291359]" dev="pipefs" ino=291359 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=fifo_file permissive=0
Mar 22 16:23:54 accounts-daemon[8649]: [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb]
Mar 22 16:23:54 accounts-daemon[8649]: Could not open available domains
Mar 22 16:23:54 chpasswd[8645]: chpasswd: sss_cache exited with status 5
Mar 22 16:23:54 chpasswd[8645]: chpasswd: Failed to flush the sssd cache.
Mar 22 16:23:54 audit[8651]: AVC avc:  denied  { read } for  pid=8651 comm="sss_cache" path="pipe:[291359]" dev="pipefs" ino=291359 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=fifo_file permissive=0
Mar 22 16:23:54 accounts-daemon[8651]: [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb]
Mar 22 16:23:54 accounts-daemon[8651]: Could not open available domains
Mar 22 16:23:54 chpasswd[8645]: chpasswd: sss_cache exited with status 5
Mar 22 16:23:54 chpasswd[8645]: chpasswd: Failed to flush the sssd cache.

I'm reporting this problem from in the F38 installation which has SELinux enabled with the targeted policy selinux-policy-38.8-2.fc38.noarch in enforcing mode.




 
SELinux is preventing sss_cache from 'read' accesses on the fifo_file fifo_file.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sss_cache should be allowed read access on the fifo_file fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sss_cache' --raw | audit2allow -M my-ssscache
# semodule -X 300 -i my-ssscache.pp

Additional Information:
Source Context                system_u:system_r:sssd_t:s0
Target Context                system_u:system_r:accountsd_t:s0
Target Objects                fifo_file [ fifo_file ]
Source                        sss_cache
Source Path                   sss_cache
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.8-2.fc38.noarch
Local Policy RPM              selinux-policy-targeted-38.8-2.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.2.7-300.fc38.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Fri Mar 17 16:02:49 UTC 2023
                              x86_64
Alert Count                   2
First Seen                    2023-03-22 16:23:53 EDT
Last Seen                     2023-03-22 16:23:54 EDT
Local ID                      2294d8b6-8f30-4721-88e3-53c6951ce268

Raw Audit Messages
type=AVC msg=audit(1679516634.18:292): avc:  denied  { read } for  pid=8651 comm="sss_cache" path="pipe:[291359]" dev="pipefs" ino=291359 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=fifo_file permissive=0


Hash: sss_cache,sssd_t,accountsd_t,fifo_file,read

Version-Release number of selected component:
selinux-policy-targeted-38.8-2.fc38.noarch

Additional info:
reporter:       libreport-2.17.8
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.2.7-300.fc38.x86_64
component:      selinux-policy
package:        selinux-policy-targeted-38.8-2.fc38.noarch
reason:         SELinux is preventing sss_cache from 'read' accesses on the fifo_file fifo_file.
component:      selinux-policy

Comment 1 Matt Fagnani 2023-03-22 20:38:05 UTC

Created attachment 1952929 [details]
File: os_info

Comment 2 Matt Fagnani 2023-03-22 20:38:07 UTC

Created attachment 1952930 [details]
File: description

Comment 3 Kamil Páral 2023-03-23 08:55:13 UTC

Zdenek, this bug seems to block bug 2179591, which is currently proposed as a Fedora 38 Final blocker. If you can, please look at it soon, thanks.

Comment 4 Zdenek Pytela 2023-03-23 19:57:47 UTC

Matt,

Can you insert this local module to check if this is the only denial?

  # cat local_sssd_acct.cil
(allow sssd_t accountsd_t (fifo_file (read)))
  # semodule -i local_sssd_acct.cil
<reproduce>

then
  # semodule -r local_sssd_acct

Comment 5 Matt Fagnani 2023-03-23 20:37:25 UTC

I inserted the local module local_sssd_acct.cil and created another user. No SELinux denials were shown. The other errors were still there in the journal like I reported, so there might be some problem with sss_cache other than the denial. I ran sudo setenforce 0 and created the user again. There weren't any denials but the other errors were there in the journal as before. Thanks.

Comment 6 Zdenek Pytela 2023-03-23 20:59:23 UTC

Thank you for checking.

Comment 7 Fedora Update System 2023-03-27 13:20:16 UTC

FEDORA-2023-624eb88729 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-624eb88729

Comment 8 Kamil Páral 2023-03-27 15:21:53 UTC

(In reply to Fedora Update System from comment #7)
> FEDORA-2023-624eb88729 has been submitted as an update to Fedora 38.
> https://bodhi.fedoraproject.org/updates/FEDORA-2023-624eb88729

I don't see AVCs when this update is installed and new users get created in KDE.

Comment 9 Fedora Update System 2023-03-28 03:42:53 UTC

FEDORA-2023-624eb88729 has been pushed to the Fedora 38 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-624eb88729

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2023-04-06 01:48:00 UTC

FEDORA-2023-9e48ecef73 has been pushed to the Fedora 38 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-9e48ecef73

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2023-04-15 02:06:46 UTC

FEDORA-2023-9e48ecef73 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.