From 711a29023252013a8451ee1b90f045782fee1a38 Mon Sep 17 00:00:00 2001

From: Lukas Slebodnik <lslebodn@redhat.com>

Date: Fri, 19 Aug 2016 10:46:12 +0200

Subject: [PATCH 118/121] BUILD: Allow to read private pipes for root

Root can read anything from any directory even with permissions 000.

However SELinux checks discretionary access control (DAC)

and deny access if access is not allowed for root by DAC.

The pam_sss use different unix socket /var/lib/sss/pipes/private/pam

for user with uid 0. Therefore root need to be able read content

of directory with private pipes.

type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc:  denied

  { dac_read_search } for  pid=20257 comm=vsftpd capability=dac_read_search

  scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023

  tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability

type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc:  denied

  { dac_override } for  pid=20257 comm=vsftpd capability=dac_override

  scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023

  tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability

Resolves:

https://fedorahosted.org/sssd/ticket/3143

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

---

 Makefile.am          | 8 ++++----

 contrib/sssd.spec.in | 2 +-

 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Makefile.am b/Makefile.am

index 6ab4399d5b68644668198bc9b0e3056562a4e51a..b8cd8b64ca8a130a5dd3107e1fb1445310192059 100644

--- a/Makefile.am

+++ b/Makefile.am

@@ -3967,7 +3967,6 @@ SSSD_USER_DIRS = \

     $(DESTDIR)$(keytabdir) \

     $(DESTDIR)$(mcpath) \

     $(DESTDIR)$(pipepath) \

-    $(DESTDIR)$(pipepath)/private \

     $(DESTDIR)$(pubconfpath) \

     $(DESTDIR)$(pubconfpath)/krb5.include.d \

     $(DESTDIR)$(gpocachepath) \

@@ -3994,16 +3993,17 @@ installsssddirs::

     $(DESTDIR)$(sssddatadir) \

     $(DESTDIR)$(sudolibdir) \

     $(DESTDIR)$(autofslibdir) \

+    $(DESTDIR)$(pipepath)/private \

     $(SSSD_USER_DIRS) \

     $(NULL);

 if SSSD_USER

-	-chown $(SSSD_USER):$(SSSD_USER) \

-	$(SSSD_USER_DIRS)

+	-chown $(SSSD_USER):$(SSSD_USER) $(SSSD_USER_DIRS)

+	-chown $(SSSD_USER) $(DESTDIR)$(pipepath)/private

 endif

 	$(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \

-            $(DESTDIR)$(pipepath)/private \

 	    $(DESTDIR)$(keytabdir) \

 	    $(NULL)

+	$(INSTALL) -d -m 0750 $(DESTDIR)$(pipepath)/private

 	$(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) \

             $(DESTDIR)$(pubconfpath) \

             $(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath)

diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in

index f1ff16176cb8ca974b98948958cfa1e9290b0bca..cb68a73e85122b016de7df37bcf4fc232a10a2ac 100644

--- a/contrib/sssd.spec.in

+++ b/contrib/sssd.spec.in

@@ -784,7 +784,7 @@ done

 %ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/group

 %ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups

 %attr(755,sssd,sssd) %dir %{pipepath}

-%attr(700,sssd,sssd) %dir %{pipepath}/private

+%attr(750,sssd,root) %dir %{pipepath}/private

 %attr(755,sssd,sssd) %dir %{pubconfpath}

 %attr(755,sssd,sssd) %dir %{gpocachepath}

 %attr(750,sssd,sssd) %dir %{_var}/log/%{name}

-- 

2.4.11