From d5a5ff043c5872eb159aa096e1a1fa7863db4f86 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Fri, 19 Aug 2016 10:46:12 +0200 Subject: [PATCH 09/39] BUILD: Allow to read private pipes for root Root can read anything from any directory even with permissions 000. However SELinux checks discretionary access control (DAC) and deny access if access is not allowed for root by DAC. The pam_sss use different unix socket /var/lib/sss/pipes/private/pam for user with uid 0. Therefore root need to be able read content of directory with private pipes. type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied { dac_read_search } for pid=20257 comm=vsftpd capability=dac_read_search scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied { dac_override } for pid=20257 comm=vsftpd capability=dac_override scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability Resolves: https://fedorahosted.org/sssd/ticket/3143 Reviewed-by: Jakub Hrozek (cherry picked from commit f49724cd6b3e0e3274302c3d475e93f7a7094f40) --- Makefile.am | 8 ++++---- contrib/sssd.spec.in | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Makefile.am b/Makefile.am index 8b9240f4485c0bce976fdabff6904e648f44356e..6219682de0d1fd4b3a813ee2f95b8185531e62bf 100644 --- a/Makefile.am +++ b/Makefile.am @@ -3952,7 +3952,6 @@ SSSD_USER_DIRS = \ $(DESTDIR)$(keytabdir) \ $(DESTDIR)$(mcpath) \ $(DESTDIR)$(pipepath) \ - $(DESTDIR)$(pipepath)/private \ $(DESTDIR)$(pubconfpath) \ $(DESTDIR)$(pubconfpath)/krb5.include.d \ $(DESTDIR)$(gpocachepath) \ @@ -3979,16 +3978,17 @@ installsssddirs:: $(DESTDIR)$(sssddatadir) \ $(DESTDIR)$(sudolibdir) \ $(DESTDIR)$(autofslibdir) \ + $(DESTDIR)$(pipepath)/private \ $(SSSD_USER_DIRS) \ $(NULL); if SSSD_USER - -chown $(SSSD_USER):$(SSSD_USER) \ - $(SSSD_USER_DIRS) + -chown $(SSSD_USER):$(SSSD_USER) $(SSSD_USER_DIRS) + -chown $(SSSD_USER) $(DESTDIR)$(pipepath)/private endif $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \ - $(DESTDIR)$(pipepath)/private \ $(DESTDIR)$(keytabdir) \ $(NULL) + $(INSTALL) -d -m 0750 $(DESTDIR)$(pipepath)/private $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) \ $(DESTDIR)$(pubconfpath) \ $(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 24af8d518bd065388b14d812de7c1c61975f0cca..1e058ca63c25513253c4b350d286208f40f6b660 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -791,7 +791,7 @@ done %ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/group %ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups %attr(755,sssd,sssd) %dir %{pipepath} -%attr(700,sssd,sssd) %dir %{pipepath}/private +%attr(750,sssd,root) %dir %{pipepath}/private %attr(755,sssd,sssd) %dir %{pubconfpath} %attr(755,sssd,sssd) %dir %{gpocachepath} %attr(750,sssd,sssd) %dir %{_var}/log/%{name} -- 2.9.3