diff options
| author | Lukas Slebodnik <lslebodn@redhat.com> | 2016-08-19 10:46:12 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2016-08-26 14:29:30 +0200 |
| commit | f49724cd6b3e0e3274302c3d475e93f7a7094f40 (patch) | |
| tree | d6c160e370b8871de4394f8ed6d5f616df05ace7 | |
| parent | b8ceaeb80cffb00c26390913ea959b77f7e848b9 (diff) | |
| download | sssd-f49724cd6b3e0e3274302c3d475e93f7a7094f40.tar.gz sssd-f49724cd6b3e0e3274302c3d475e93f7a7094f40.tar.xz sssd-f49724cd6b3e0e3274302c3d475e93f7a7094f40.zip | |
BUILD: Allow to read private pipes for root
Root can read anything from any directory even with permissions 000.
However SELinux checks discretionary access control (DAC)
and deny access if access is not allowed for root by DAC.
The pam_sss use different unix socket /var/lib/sss/pipes/private/pam
for user with uid 0. Therefore root need to be able read content
of directory with private pipes.
type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied
{ dac_read_search } for pid=20257 comm=vsftpd capability=dac_read_search
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied
{ dac_override } for pid=20257 comm=vsftpd capability=dac_override
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
Resolves:
https://fedorahosted.org/sssd/ticket/3143
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
| -rw-r--r-- | Makefile.am | 8 | ||||
| -rw-r--r-- | contrib/sssd.spec.in | 2 |
2 files changed, 5 insertions, 5 deletions
diff --git a/Makefile.am b/Makefile.am index 8b9240f44..6219682de 100644 --- a/Makefile.am +++ b/Makefile.am @@ -3952,7 +3952,6 @@ SSSD_USER_DIRS = \ $(DESTDIR)$(keytabdir) \ $(DESTDIR)$(mcpath) \ $(DESTDIR)$(pipepath) \ - $(DESTDIR)$(pipepath)/private \ $(DESTDIR)$(pubconfpath) \ $(DESTDIR)$(pubconfpath)/krb5.include.d \ $(DESTDIR)$(gpocachepath) \ @@ -3979,16 +3978,17 @@ installsssddirs:: $(DESTDIR)$(sssddatadir) \ $(DESTDIR)$(sudolibdir) \ $(DESTDIR)$(autofslibdir) \ + $(DESTDIR)$(pipepath)/private \ $(SSSD_USER_DIRS) \ $(NULL); if SSSD_USER - -chown $(SSSD_USER):$(SSSD_USER) \ - $(SSSD_USER_DIRS) + -chown $(SSSD_USER):$(SSSD_USER) $(SSSD_USER_DIRS) + -chown $(SSSD_USER) $(DESTDIR)$(pipepath)/private endif $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \ - $(DESTDIR)$(pipepath)/private \ $(DESTDIR)$(keytabdir) \ $(NULL) + $(INSTALL) -d -m 0750 $(DESTDIR)$(pipepath)/private $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) \ $(DESTDIR)$(pubconfpath) \ $(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 24af8d518..1e058ca63 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -791,7 +791,7 @@ done %ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/group %ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups %attr(755,sssd,sssd) %dir %{pipepath} -%attr(700,sssd,sssd) %dir %{pipepath}/private +%attr(750,sssd,root) %dir %{pipepath}/private %attr(755,sssd,sssd) %dir %{pubconfpath} %attr(755,sssd,sssd) %dir %{gpocachepath} %attr(750,sssd,sssd) %dir %{_var}/log/%{name} |