[CentOS] selinux prohibiting sssd usage

Wed Aug 10 16:32:04 UTC 2011
Paul Heinlein <heinlein at madboa.com>

I've got a CentOS 6 machine that's slated to go into production 
providing some web and development-repository services.

Part of the environment is gitweb, which works as expected with one 
glitch: SELinux doesn't allow gitweb.cgi to query sssd to display who 
owns the repositories.

The audit log entries are pretty straightforward, e.g.,

type=AVC msg=audit(XXXXXXXXXXXX): avc:  denied { search } for 
pid=XXXX comm="gitweb.cgi" name="sss" dev=XXX ino=XXXXXXXXXXX 
scontext=unconfined_u:system_r:httpd_git_script_t:s0 
tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir

I'll use audit2allow to build a custom policy if need be, but what I'd 
really like to hear is that there's an SELinux boolean that can be 
tweaked or a file context that can be altered to make things work as 
expected.

-- 
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/