I am getting some SELinux AVC alerts for a given process in a given domain that seems to
want to be able to read files in /var/lib/sss/.
strace(1)ing the (unprivileged) process it seem to want to do the following:
4024612 openat(AT_FDCWD, "/var/lib/sss/mc/passwd", O_RDONLY|O_CLOEXEC) = -1
EACCES (Permission denied)
and
4024612 connect(3, {sa_family=AF_UNIX, sun_path="/var/lib/sss/pipes/nss"}, 110)
= -1 EACCES (Permission denied)
in /var/lib/sss/ which as you can see SELinux is currently denying. But nothing about the
running of the process seems to be a-miss despite these EPERMs
Ultimately I am just trying to gauge the potential issues with following the
least-privilege principle and setting these to ignore rather than allow. I.e. what might
not be functioning correctly (even though they appear to be from all outward appearances)
if these EPERMs continue instead of being allowed.
Any ideas why this process would be wanting to access those paths and why and what the
problem might be with denying it?
Cheers,
b.
Show replies by date