rpms / sssd

Clone
Source Code
GIT

Files

  1.   b2d4308a8adc2267c8080d4de4152b068f20ec5f
  2.   SOURCES
  3.   0118-BUILD-Allow-to-read-private-pipes-for-root.patch
Blob Blame History Raw 
From 711a29023252013a8451ee1b90f045782fee1a38 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Fri, 19 Aug 2016 10:46:12 +0200
Subject: [PATCH 118/121] BUILD: Allow to read private pipes for root

Root can read anything from any directory even with permissions 000.

However SELinux checks discretionary access control (DAC)
and deny access if access is not allowed for root by DAC.
The pam_sss use different unix socket /var/lib/sss/pipes/private/pam
for user with uid 0. Therefore root need to be able read content
of directory with private pipes.

type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc:  denied
  { dac_read_search } for  pid=20257 comm=vsftpd capability=dac_read_search
  scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
  tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability

type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc:  denied
  { dac_override } for  pid=20257 comm=vsftpd capability=dac_override
  scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
  tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability

Resolves:
https://fedorahosted.org/sssd/ticket/3143

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 Makefile.am          | 8 ++++----
 contrib/sssd.spec.in | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 6ab4399d5b68644668198bc9b0e3056562a4e51a..b8cd8b64ca8a130a5dd3107e1fb1445310192059 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3967,7 +3967,6 @@ SSSD_USER_DIRS = \
     $(DESTDIR)$(keytabdir) \
     $(DESTDIR)$(mcpath) \
     $(DESTDIR)$(pipepath) \
-    $(DESTDIR)$(pipepath)/private \
     $(DESTDIR)$(pubconfpath) \
     $(DESTDIR)$(pubconfpath)/krb5.include.d \
     $(DESTDIR)$(gpocachepath) \
@@ -3994,16 +3993,17 @@ installsssddirs::
     $(DESTDIR)$(sssddatadir) \
     $(DESTDIR)$(sudolibdir) \
     $(DESTDIR)$(autofslibdir) \
+    $(DESTDIR)$(pipepath)/private \
     $(SSSD_USER_DIRS) \
     $(NULL);
 if SSSD_USER
-	-chown $(SSSD_USER):$(SSSD_USER) \
-	$(SSSD_USER_DIRS)
+	-chown $(SSSD_USER):$(SSSD_USER) $(SSSD_USER_DIRS)
+	-chown $(SSSD_USER) $(DESTDIR)$(pipepath)/private
 endif
 	$(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \
-            $(DESTDIR)$(pipepath)/private \
 	    $(DESTDIR)$(keytabdir) \
 	    $(NULL)
+	$(INSTALL) -d -m 0750 $(DESTDIR)$(pipepath)/private
 	$(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) \
             $(DESTDIR)$(pubconfpath) \
             $(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index f1ff16176cb8ca974b98948958cfa1e9290b0bca..cb68a73e85122b016de7df37bcf4fc232a10a2ac 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -784,7 +784,7 @@ done
 %ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/group
 %ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups
 %attr(755,sssd,sssd) %dir %{pipepath}
-%attr(700,sssd,sssd) %dir %{pipepath}/private
+%attr(750,sssd,root) %dir %{pipepath}/private
 %attr(755,sssd,sssd) %dir %{pubconfpath}
 %attr(755,sssd,sssd) %dir %{gpocachepath}
 %attr(750,sssd,sssd) %dir %{_var}/log/%{name}
-- 
2.4.11

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation