DevHeads.net

selinux prohibiting sssd usage

I've got a CentOS 6 machine that's slated to go into production
providing some web and development-repository services.

Part of the environment is gitweb, which works as expected with one
glitch: SELinux doesn't allow gitweb.cgi to query sssd to display who
owns the repositories.

The audit log entries are pretty straightforward, e.g.,

type=AVC msg=audit(XXXXXXXXXXXX): avc: denied { search } for
pid=XXXX comm="gitweb.cgi" name="sss" dev=XXX ino=XXXXXXXXXXX
scontext=unconfined_u:system_r:httpd_git_script_t:s0
tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir

I'll use audit2allow to build a custom policy if need be, but what I'd
really like to hear is that there's an SELinux boolean that can be
tweaked or a file context that can be altered to make things work as
expected.

Comments

Re: selinux prohibiting sssd usage

By David at 08/10/2011 - 13:48

At 09:32 AM 8/10/2011, you wrote:

Paul

I've just spent three days trying to figure out why SSH worked
sometimes, sometimes not. Just minutes before your note arrived, I
figured I had to disable SELINUX, and now it works just fine. Your
note confirmed that there's a link there.

David Kurn

Re: selinux prohibiting sssd usage

By Paul Heinlein at 08/10/2011 - 13:59

I haven't had any trouble with ssh. I'll note that the system in
question gets user account information from ldap.

Oddly, when using sssd+ldap, getent without a specific key won't
return ldap account information, but with a key it will. That is,
"getent passwd" will return only accounts in the local /etc/passwd
database, but "getent passwd bob" will return ldap-supplied
information about user bob.

Re: selinux prohibiting sssd usage

By Michael Gliwinski at 08/11/2011 - 04:51

On Wednesday 10 Aug 2011 18:59:14 Paul Heinlein wrote:
That is normal unless you have 'enumerate = true' for the LDAP domain in SSSD
config file. Note that SSSD manual warns that this may be slow for large
installations (personally I haven't had a problem with it yet but only have <
200 posix users).

Re: selinux prohibiting sssd usage

By John Hodrien at 08/11/2011 - 05:03

I can confirm that With tens of thousands it's cripplingly slow.

jh

Re: selinux prohibiting sssd usage

By Daniel J Walsh at 08/10/2011 - 14:14

On 08/10/2011 01:59 PM, Paul Heinlein wrote:

Re: selinux prohibiting sssd usage

By Paul Heinlein at 08/10/2011 - 14:24

Thanks, Dan! I'm a big fan of the work you've done integrating RHEL
and SELinux, and improving SELinux in general.

Do you have a diff or policy fragment I can use until your changes
appear in CentOS?

Re: selinux prohibiting sssd usage

By Daniel J Walsh at 08/10/2011 - 16:12

On 08/10/2011 02:24 PM, Paul Heinlein wrote:
Is what I am adding to 6.2 policy.

This will show up in selinux-policy-3.7.19-107.el6 when we build it
later this week.

You can always grab the latest policy for the upcoming release at

<a href="http://people.redhat.com/dwalsh/SELinux/RHEL6" title="http://people.redhat.com/dwalsh/SELinux/RHEL6">http://people.redhat.com/dwalsh/SELinux/RHEL6</a>

selinux-policy-3.7.19-106.el6 is out there now.

Re: selinux prohibiting sssd usage

By Adam Wead at 08/10/2011 - 13:27

I can't think of any booleans off-hand, but you might try moving the
location of the gitweb.cgi to a folder where SELinux expects cgi executables
to be, such as /var/www. Then if you relabel, it might put it in the
correct security context to fix the error. This is how I solve about 90% of
my SELinux problems... just moving the files to the right location.

Re: selinux prohibiting sssd usage

By Paul Heinlein at 08/10/2011 - 13:52

There's a whole httpd_git_* slew of labels in CentOS 6 -- and I'm
using the stock gitweb RPM -- so I'd rather fix it as-is so package
updates have fewer special instructions down the road.

Hands-down, the coolest job title I've seen on the centos mailing
list!