At 09:32 AM 8/10/2011, you wrote:
I've got a CentOS 6 machine that's slated to go into production providing some web and development-repository services.
Part of the environment is gitweb, which works as expected with one glitch: SELinux doesn't allow gitweb.cgi to query sssd to display who owns the repositories.
The audit log entries are pretty straightforward, e.g.,
type=AVC msg=audit(XXXXXXXXXXXX): avc: denied { search } for pid=XXXX comm="gitweb.cgi" name="sss" dev=XXX ino=XXXXXXXXXXX scontext=unconfined_u:system_r:httpd_git_script_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
I'll use audit2allow to build a custom policy if need be, but what I'd really like to hear is that there's an SELinux boolean that can be tweaked or a file context that can be altered to make things work as expected.
-- Paul Heinlein <> heinlein@madboa.com <> http://www.madboa.com/ _________
Paul
I've just spent three days trying to figure out why SSH worked sometimes, sometimes not. Just minutes before your note arrived, I figured I had to disable SELINUX, and now it works just fine. Your note confirmed that there's a link there.
David Kurn
On Wed, 10 Aug 2011, david wrote:
At 09:32 AM 8/10/2011, you wrote:
Part of the environment is gitweb, which works as expected with one glitch: SELinux doesn't allow gitweb.cgi to query sssd to display who owns the repositories. [....]
Paul
I've just spent three days trying to figure out why SSH worked sometimes, sometimes not. Just minutes before your note arrived, I figured I had to disable SELINUX, and now it works just fine. Your note confirmed that there's a link there.
I haven't had any trouble with ssh. I'll note that the system in question gets user account information from ldap.
Oddly, when using sssd+ldap, getent without a specific key won't return ldap account information, but with a key it will. That is, "getent passwd" will return only accounts in the local /etc/passwd database, but "getent passwd bob" will return ldap-supplied information about user bob.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/10/2011 01:59 PM, Paul Heinlein wrote:
On Wed, 10 Aug 2011, david wrote:
At 09:32 AM 8/10/2011, you wrote:
Part of the environment is gitweb, which works as expected with one glitch: SELinux doesn't allow gitweb.cgi to query sssd to display who owns the repositories. [....]
Paul
I've just spent three days trying to figure out why SSH worked sometimes, sometimes not. Just minutes before your note arrived, I figured I had to disable SELINUX, and now it works just fine. Your note confirmed that there's a link there.
I haven't had any trouble with ssh. I'll note that the system in question gets user account information from ldap.
Oddly, when using sssd+ldap, getent without a specific key won't return ldap account information, but with a key it will. That is, "getent passwd" will return only accounts in the local /etc/passwd database, but "getent passwd bob" will return ldap-supplied information about user bob.
I am adding the allow rule to allow http_git_script_t to resolve usernames to Fedora and Rhel policies.
On Wed, 10 Aug 2011, Daniel J Walsh wrote:
I am adding the allow rule to allow http_git_script_t to resolve usernames to Fedora and Rhel policies.
Thanks, Dan! I'm a big fan of the work you've done integrating RHEL and SELinux, and improving SELinux in general.
Do you have a diff or policy fragment I can use until your changes appear in CentOS?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/10/2011 02:24 PM, Paul Heinlein wrote:
On Wed, 10 Aug 2011, Daniel J Walsh wrote:
I am adding the allow rule to allow http_git_script_t to resolve usernames to Fedora and Rhel policies.
Thanks, Dan! I'm a big fan of the work you've done integrating RHEL and SELinux, and improving SELinux in general.
Do you have a diff or policy fragment I can use until your changes appear in CentOS?
auth_use_nsswitch(http_git_script_t)
Is what I am adding to 6.2 policy.
This will show up in selinux-policy-3.7.19-107.el6 when we build it later this week.
You can always grab the latest policy for the upcoming release at
http://people.redhat.com/dwalsh/SELinux/RHEL6
selinux-policy-3.7.19-106.el6 is out there now.
On Wednesday 10 Aug 2011 18:59:14 Paul Heinlein wrote:
Oddly, when using sssd+ldap, getent without a specific key won't return ldap account information, but with a key it will. That is, "getent passwd" will return only accounts in the local /etc/passwd database, but "getent passwd bob" will return ldap-supplied information about user bo
That is normal unless you have 'enumerate = true' for the LDAP domain in SSSD config file. Note that SSSD manual warns that this may be slow for large installations (personally I haven't had a problem with it yet but only have < 200 posix users).
On Thu, 11 Aug 2011, Michael Gliwinski wrote:
On Wednesday 10 Aug 2011 18:59:14 Paul Heinlein wrote:
Oddly, when using sssd+ldap, getent without a specific key won't return ldap account information, but with a key it will. That is, "getent passwd" will return only accounts in the local /etc/passwd database, but "getent passwd bob" will return ldap-supplied information about user bo
That is normal unless you have 'enumerate = true' for the LDAP domain in SSSD config file. Note that SSSD manual warns that this may be slow for large installations (personally I haven't had a problem with it yet but only have < 200 posix users).
I can confirm that With tens of thousands it's cripplingly slow.
jh
-
Daniel J Walsh -
david -
John Hodrien -
Michael Gliwinski -
Paul Heinlein