rpms/sssd
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
bab31444d7
sssd/0009-BUILD-Allow-to-read-private-pipes-for-root.patch

83 lines
3.2 KiB
Diff
Raw Normal View History

Backport important patches from upstream 1.14.2 prerelease - Resolves: upstream #3154 - sssd exits if clock is adjusted backwards after boot - Resolves: upstream #3163 - resolving IPA nested user group is broken in 1.14 (cherry picked from commit 2b61bbee117148e160036768235522c51f647759)
2016-08-31 17:45:36 +00:00
From d5a5ff043c5872eb159aa096e1a1fa7863db4f86 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Fri, 19 Aug 2016 10:46:12 +0200
Subject: [PATCH 09/39] BUILD: Allow to read private pipes for root
Root can read anything from any directory even with permissions 000.
However SELinux checks discretionary access control (DAC)
and deny access if access is not allowed for root by DAC.
The pam_sss use different unix socket /var/lib/sss/pipes/private/pam
for user with uid 0. Therefore root need to be able read content
of directory with private pipes.
type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied
{ dac_read_search } for pid=20257 comm=vsftpd capability=dac_read_search
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied
{ dac_override } for pid=20257 comm=vsftpd capability=dac_override
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
Resolves:
https://fedorahosted.org/sssd/ticket/3143
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit f49724cd6b3e0e3274302c3d475e93f7a7094f40)
---
Makefile.am | 8 ++++----
contrib/sssd.spec.in | 2 +-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 8b9240f4485c0bce976fdabff6904e648f44356e..6219682de0d1fd4b3a813ee2f95b8185531e62bf 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3952,7 +3952,6 @@ SSSD_USER_DIRS = \
$(DESTDIR)$(keytabdir) \
$(DESTDIR)$(mcpath) \
$(DESTDIR)$(pipepath) \
- $(DESTDIR)$(pipepath)/private \
$(DESTDIR)$(pubconfpath) \
$(DESTDIR)$(pubconfpath)/krb5.include.d \
$(DESTDIR)$(gpocachepath) \
@@ -3979,16 +3978,17 @@ installsssddirs::
$(DESTDIR)$(sssddatadir) \
$(DESTDIR)$(sudolibdir) \
$(DESTDIR)$(autofslibdir) \
+ $(DESTDIR)$(pipepath)/private \
$(SSSD_USER_DIRS) \
$(NULL);
if SSSD_USER
- -chown $(SSSD_USER):$(SSSD_USER) \
- $(SSSD_USER_DIRS)
+ -chown $(SSSD_USER):$(SSSD_USER) $(SSSD_USER_DIRS)
+ -chown $(SSSD_USER) $(DESTDIR)$(pipepath)/private
endif
$(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \
- $(DESTDIR)$(pipepath)/private \
$(DESTDIR)$(keytabdir) \
$(NULL)
+ $(INSTALL) -d -m 0750 $(DESTDIR)$(pipepath)/private
$(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) \
$(DESTDIR)$(pubconfpath) \
$(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 24af8d518bd065388b14d812de7c1c61975f0cca..1e058ca63c25513253c4b350d286208f40f6b660 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -791,7 +791,7 @@ done
%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/group
%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups
%attr(755,sssd,sssd) %dir %{pipepath}
-%attr(700,sssd,sssd) %dir %{pipepath}/private
+%attr(750,sssd,root) %dir %{pipepath}/private
%attr(755,sssd,sssd) %dir %{pubconfpath}
%attr(755,sssd,sssd) %dir %{gpocachepath}
%attr(750,sssd,sssd) %dir %{_var}/log/%{name}
--
2.9.3
Reference in New Issue Copy Permalink