SSSD on a read-only filesystem

SSSD on a read-only filesystem

[Andy Ruch]

Hello,

I'm implementing SSSD on my RHEL 6.5 system with a read-only root filesystem. SSSD attempts to write a file to /etc/selinux/<policy>/logins that maps the linux user to an selinux user. However, this causes problems since /etc is read-only. I've played with mounting /etc/selinux/<policy>/logins in tmpfs and everything seems to work. My questions really comes down to:


1) Are there any security concerns with having the 'logins' directory in tmpfs? 


2) Are there any functional considerations if the 'logins' directory gets erased every time the system reboots?



Thanks,
Andy Ruch

Re: SSSD on a read-only filesystem

[Daniel J Walsh]

No the only potential problem with this would be is if you setup
Confined Users to be provided by something like IPA, and sssd was not
able to contact the IPA server after a reboot.  Then potentially a user
would be allowed to login with a different user domain.

IE It will fallback to the __default__ user.

On 03/31/2014 06:08 PM, Andy Ruch wrote:
> Hello,
>
> I'm implementing SSSD on my RHEL 6.5 system with a read-only root filesystem. SSSD attempts to write a file to /etc/selinux/<policy>/logins that maps the linux user to an selinux user. However, this causes problems since /etc is read-only. I've played with mounting /etc/selinux/<policy>/logins in tmpfs and everything seems to work. My questions really comes down to:
>
>
> 1) Are there any security concerns with having the 'logins' directory in tmpfs? 
>
>
> 2) Are there any functional considerations if the 'logins' directory gets erased every time the system reboots?
>
>
>
> Thanks,
> Andy Ruch
>