Allow setcap() syscall for 'sssd_selinux_manager_t'
#2455
Comments
|
C10S ticket: https://issues.redhat.com/browse/RHEL-70822 |
zpytela
added a commit
to zpytela/selinux-policy
that referenced
this issue
Dec 10, 2024
SSSD is being reworked [1] to not rely on effective capabilities but to raise a permitted capability when needed, and drop it completely when not needed anymore. [1] SSSD/sssd#7731 The commit addresses the following AVC denial: type=AVC msg=audit(1733309927.245:4711): avc: denied { setcap } for pid=43967 comm="selinux_child" scontext=system_u:system_r:sssd_selinux_manager_t:s0 tcontext=system_u:system_r:sssd_selinux_manager_t:s0 tclass=process permissive=1 type=SYSCALL msg=audit(1733309927.245:4711): arch=c000003e syscall=126 success=yes exit=0 a0=55795759750c a1=557957597514 a2=557957597514 a3=80 items=0 ppid=41662 pid=43967 auid=4294967295 uid=990 gid=986 euid=990 suid=990 fsuid=990 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm="selinux_child" exe="/usr/libexec/sssd/selinux_child" subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)ARCH=x86_64 SYSCALL=capset AUID="unset" UID="sssd" GID="sssd" EUID="sssd" SUID="sssd" FSUID="sssd" EGID="sssd" SGID="sssd" FSGID="sssd" type=CAPSET msg=audit(1733309927.245:4711): pid=43967 cap_pi=0000000000000080 cap_pp=00000000000000c0 cap_pe=0000000000000080 cap_pa=0 Resolves: fedora-selinux#2455 Resolves: rhbz#2331486
zpytela
added a commit
to zpytela/selinux-policy
that referenced
this issue
Dec 10, 2024
SSSD is being reworked [1] to not rely on effective capabilities but to raise a permitted capability when needed, and drop it completely when not needed anymore. [1] SSSD/sssd#7731 The commit addresses the following AVC denial: type=AVC msg=audit(1733309927.245:4711): avc: denied { setcap } for pid=43967 comm="selinux_child" scontext=system_u:system_r:sssd_selinux_manager_t:s0 tcontext=system_u:system_r:sssd_selinux_manager_t:s0 tclass=process permissive=1 type=SYSCALL msg=audit(1733309927.245:4711): arch=c000003e syscall=126 success=yes exit=0 a0=55795759750c a1=557957597514 a2=557957597514 a3=80 items=0 ppid=41662 pid=43967 auid=4294967295 uid=990 gid=986 euid=990 suid=990 fsuid=990 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm="selinux_child" exe="/usr/libexec/sssd/selinux_child" subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)ARCH=x86_64 SYSCALL=capset AUID="unset" UID="sssd" GID="sssd" EUID="sssd" SUID="sssd" FSUID="sssd" EGID="sssd" SGID="sssd" FSGID="sssd" type=CAPSET msg=audit(1733309927.245:4711): pid=43967 cap_pi=0000000000000080 cap_pp=00000000000000c0 cap_pe=0000000000000080 cap_pa=0 Resolves: fedora-selinux#2455 Resolves: rhbz#2331486
zpytela
added a commit
to zpytela/selinux-policy
that referenced
this issue
Dec 10, 2024
SSSD is being reworked [1] to not rely on effective capabilities but to raise a permitted capability when needed, and drop it completely when not needed anymore. [1] SSSD/sssd#7731 The commit addresses the following AVC denial: type=AVC msg=audit(1733309927.245:4711): avc: denied { setcap } for pid=43967 comm="selinux_child" scontext=system_u:system_r:sssd_selinux_manager_t:s0 tcontext=system_u:system_r:sssd_selinux_manager_t:s0 tclass=process permissive=1 type=SYSCALL msg=audit(1733309927.245:4711): arch=c000003e syscall=126 success=yes exit=0 a0=55795759750c a1=557957597514 a2=557957597514 a3=80 items=0 ppid=41662 pid=43967 auid=4294967295 uid=990 gid=986 euid=990 suid=990 fsuid=990 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm="selinux_child" exe="/usr/libexec/sssd/selinux_child" subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)ARCH=x86_64 SYSCALL=capset AUID="unset" UID="sssd" GID="sssd" EUID="sssd" SUID="sssd" FSUID="sssd" EGID="sssd" SGID="sssd" FSGID="sssd" type=CAPSET msg=audit(1733309927.245:4711): pid=43967 cap_pi=0000000000000080 cap_pp=00000000000000c0 cap_pe=0000000000000080 cap_pa=0 Resolves: fedora-selinux#2455 Resolves: rhbz#2331486
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
SSSD is being reworked to not rely on effective capabilities but to raise a permitted capability when needed, and drop it completely when non needed anymore (specific PR that triggered this ticket - SSSD/sssd#7731)
This approach conflicts with current
sssd_selinux_manager_tpolicy:"""
type=AVC msg=audit(1733309927.245:4711): avc: denied { setcap } for pid=43967 comm="selinux_child" scontext=system_u:system_r:sssd_selinux_manager_t:s0 tcontext=system_u:system_r:sssd_selinux_manager_t:s0 tclass=process permissive=1
type=SYSCALL msg=audit(1733309927.245:4711): arch=c000003e syscall=126 success=yes exit=0 a0=55795759750c a1=557957597514 a2=557957597514 a3=80 items=0 ppid=41662 pid=43967 auid=4294967295 uid=990 gid=986 euid=990 suid=990 fsuid=990 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm="selinux_child" exe="/usr/libexec/sssd/selinux_child" subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)ARCH=x86_64 SYSCALL=capset AUID="unset" UID="sssd" GID="sssd" EUID="sssd" SUID="sssd" FSUID="sssd" EGID="sssd" SGID="sssd" FSGID="sssd"
type=CAPSET msg=audit(1733309927.245:4711): pid=43967 cap_pi=0000000000000080 cap_pp=00000000000000c0 cap_pe=0000000000000080 cap_pa=0
"""
Relevant policy that needs to be fixed:
selinux-policy/policy/modules/contrib/sssd.te
Line 283 in 8dfcddb
This change will land Fedora 41+ and C10S soon. CC @zpytela
The text was updated successfully, but these errors were encountered: