Selinux prevents idmapd to access sss and userdb

Problem

User and Group on NFS-mounts all are nobody.
Worked on Fedora 36 and 37. Happens on fresh install of F38 but also on updated systems.

Current version of selinux-policy 38.12-1

Cause

Selinux is preventing idmapd to access on userdb and sss.

Related Issues

Bugzilla is realy slow for me today. Still waiting for page to load since hours.
Bugzilla report: #2190385

Workarounds

Creating a custom selinux-policy:

module my-nfsidmap 1.0;

require {
	type nfsidmap_t;
	type systemd_userdbd_runtime_t;
	type sssd_var_lib_t;
	type sssd_public_t;
	type sssd_t;
	class dir { read search };
	class sock_file write;
	class file { getattr map open read };
	class unix_stream_socket connectto;
}

#============= nfsidmap_t ==============
allow nfsidmap_t sssd_public_t:file { getattr open read };
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow nfsidmap_t sssd_public_t:file map;
allow nfsidmap_t sssd_t:unix_stream_socket connectto;
allow nfsidmap_t sssd_var_lib_t:sock_file write;
allow nfsidmap_t sssd_var_lib_t:dir search;
allow nfsidmap_t systemd_userdbd_runtime_t:dir read;

I don’t know if all of this is really necessary

Thanks for the writeup. Let’s wait what the developer says in the bugzilla.

So this is an actual bug in selinux-policy and is now being handled here:
2180611 – SELinux is preventing nfsidmap from 'read' accesses on the directory userdb.

But I don’t feel knowledgeable enough to recommend people writing a custom policy. I think we should recommend them just wait for an update. Do you want to rewrite the description? Or we can wait some more, and then the update should be published and this can be closed.