SSSD / sssd

Clone

f49724c BUILD: Allow to read private pipes for root

2 files Authored by lslebodn 7 years ago, Committed by jhrozek 7 years ago,
raw patch tree parent
2 files changed. 5 lines added. 5 lines removed.
Makefile.am
file modified
+4 -4
contrib/sssd.spec.in
file modified
+1 -1 
    BUILD: Allow to read private pipes for root
    
    Root can read anything from any directory even with permissions 000.
    
    However SELinux checks discretionary access control (DAC)
    and deny access if access is not allowed for root by DAC.
    The pam_sss use different unix socket /var/lib/sss/pipes/private/pam
    for user with uid 0. Therefore root need to be able read content
    of directory with private pipes.
    
    type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc:  denied
      { dac_read_search } for  pid=20257 comm=vsftpd capability=dac_read_search
      scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
      tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
    
    type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc:  denied
      { dac_override } for  pid=20257 comm=vsftpd capability=dac_override
      scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
      tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
    
    Resolves:
    https://fedorahosted.org/sssd/ticket/3143
    
    Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
file modified
+4 -4
file modified
+1 -1
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.