Bug 739708
Summary: | pki-selinux lacks rules in F16 | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Alexander Bokovoy <abokovoy> | ||||
Component: | pki-selinux | Assignee: | Ade Lee <alee> | ||||
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 16 | CC: | alexandermurashkin, dennis, kwright, spoore | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-02-14 02:48:38 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 699785 | ||||||
Attachments: |
|
Description
Alexander Bokovoy
2011-09-19 20:09:41 UTC
Assigning to Ade per request. Created attachment 524930 [details]
patch to fix
This patch adds two of the three rules.
The remaining one:
allow pki_ca_t unreserved_port_t:tcp_socket name_connect;
is still under investigation. I have no idea why tomcat would be trying to connect to an ephemeral port (and I have not been able to reproduce on my system). As far as I can tell, this happens on startup on Alexander's system -- but it does not affect the startup of the server.
vakwetu@goofy-vm10 selinux]$ svn ci -m "Resolves #739708 - pki-selinux lacks rules in F16" Sending selinux/src/pki.if Sending selinux/src/pki.te Transmitting file data .. Committed revision 2228. Any update on looking into the unreserved_port_t one?
I'm still seeing this with this version:
pki-selinux-9.0.16-1.fc16.noarch
This is how I tested (after seeing this error on an IPA server install:
# mkdir /etc/pki-avc-denial-test
# mkdir /var/log/pki-avc-denial-test
# pkicreate -pki_instance_root /var/lib \
> -pki_instance_name pki-avc-denial-test \
> -subsystem_type ca \
> -agent_secure_port 9443 \
> -ee_secure_port 9444 \
> -admin_secure_port 9445 \
> -ee_secure_client_auth_port 9446 \
> -unsecure_port 9180 \
> -tomcat_server_port 9701 \
> -redirect conf=/etc/pki-avc-denial-test \
> -redirect logs=/var/log/pki-avc-denial-test \
> -enable_proxy
This is what I saw from ausearch:
# /usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 01/03/2012 21:14
----
time->Tue Jan 3 21:14:41 2012
type=SYSCALL msg=audit(1325643281.445:390): arch=c000003e syscall=42 success=no exit=-13 a0=29 a1=7f94fcd3c680 a2=1c a3=7f94fcd3c410 items=0 ppid=1 pid=20400 auid=4294967295 uid=997 gid=993 euid=997 suid=997 fsuid=997 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=system_u:system_r:pki_ca_t:s0 key=(null)
type=AVC msg=audit(1325643281.445:390): avc: denied { name_connect } for pid=20400 comm="java" dest=59912 scontext=system_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
Thanks,
Scott
I think, I have a similar problem when trying to start FreeIPA. It seems that pki-ca tries to send LDAP request to some ephemeral port pki-ca-9.0.17-1.fc16.noarch pki-selinux-9.0.17-1.fc16.noarch freeipa-server-2.1.4-5.fc16.x86_64 freeipa-client-2.1.4-5.fc16.x86_64 freeipa-python-2.1.4-5.fc16.x86_64 freeipa-server-selinux-2.1.4-5.fc16.x86_64 freeipa-admintools-2.1.4-5.fc16.x86_64 ------- audit2allow produces the following -------------- module freeipa_local 1.0; require { type ephemeral_port_t; type pki_ca_t; class tcp_socket name_connect; } #============= pki_ca_t ============== allow pki_ca_t ephemeral_port_t:tcp_socket name_connect; -------------------- Here is sealert output -------------------- # sealert -l d3154919-f39c-4327-be50-01c29982f6ef SELinux is preventing /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java from name_connect access on the None . ***** Plugin catchall (100. confidence) suggests *************************** If you believe that java should be allowed name_connect access on the <Unknown> by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep java /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:pki_ca_t:s0 Target Context system_u:object_r:ephemeral_port_t:s0 Target Objects [ None ] Source java Source Path /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre /bin/java Port 56744 Host tiger.castle.aimk.com Source RPM Packages java-1.6.0-openjdk-1.6.0.0-65.1.11.1.fc16.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-75.fc16.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tiger.castle.aimk.com Platform Linux tiger.castle.aimk.com 3.2.7-1.fc16.x86_64 #1 SMP Tue Feb 21 01:40:47 UTC 2012 x86_64 x86_64 Alert Count 8 First Seen Tue 13 Mar 2012 02:14:03 AM CDT Last Seen Tue 13 Mar 2012 03:40:32 AM CDT Local ID d3154919-f39c-4327-be50-01c29982f6ef Raw Audit Messages type=AVC msg=audit(1331628032.187:735): avc: denied { name_connect } for pid=12699 comm="java" dest=56744 scontext=system_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socketnode=raptor.castle.aimk.com type=SYSCALL msg=audit(1331628032.187:735): arch=c000003e syscall=42 success=no exit=-13 a0=29 a1=7f9310ef4680 a2=1c a3=7f9310ef4410 items=0 ppid=1 pid=12699 auid=4294967295 uid=484 gid=304 euid=484 suid=484 fsuid=484 egid=304 sgid=304 fsgid=304 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=system_u:system_r:pki_ca_t:s0 key=(null) Hash: java,pki_ca_t,ephemeral_port_t,None,name_connect audit2allow audit2allow -R The failed java process was probably started by the following one pkiuser 7989 1 0 02:14 ? 00:00:01 /usr/lib/jvm/jre/bin/java -classpath :/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/var/lib/pki-ca -Dcatalina.home=/usr/share/tomcat6 -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat6/temp -Djava.util.logging.config.file=/var/lib/pki-ca/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start --- related records from /var/log/pki-ca/catalina.out --- INFO: Starting Servlet Engine: Apache Tomcat/6.0.32 Mar 13, 2012 3:20:34 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory ca 64-bit osutil library loaded 64-bit osutil library loaded CMS Warning: FAILURE: Operation Error - netscape.ldap.LDAPException: error result (32); matchedDN = o=ipaca|FAILURE: Null response control|FAILURE: Operation Error - netscape.ldap.LDAPException: error result (32); matchedDN = o=ipaca|FAILURE: Null response control|FAILURE: Operation Error - netscape.ldap.LDAPException: error result (32); matchedDN = o=ipaca|FAILURE: Null response control|FAILURE: CRLIssuingPoint MasterCRL - Cannot create or store the first CRL in the internaldb. The internaldb could be down. Error LDAP operation failure - cn=MasterCRL,ou=crlIssuingPoints, ou=ca, o=ipaca netscape.ldap.LDAPException: error result (32); matchedDN = o=ipaca| Server is started. -- related records from /var/log/pki-ca/debug --- [13/Mar/2012:03:20:35][CertStatusUpdateThread]: returnConn: mNumConns now 1 [13/Mar/2012:03:20:35][CertStatusUpdateThread]: returnConn: mNumConns now 2 [13/Mar/2012:03:20:35][main]: RequestRepository: getPublishingStatus: Error: Record not found java.lang.Exception: Debug at com.netscape.cmscore.util.Debug.printStackTrace(Debug.java:227) at com.netscape.cmscore.apps.CMSEngine.debugStackTrace(CMSEngine.java:1194) at com.netscape.certsrv.apps.CMS.debugStackTrace(CMS.java:394) at com.netscape.cmscore.request.RequestRepository.getPublishingStatus(RequestRepository.java:162) at com.netscape.cmscore.request.RequestQueue.getPublishingStatus(RequestQueue.java:606) at com.netscape.certsrv.request.ARequestNotifier.setPublishingQueue(ARequestNotifier.java:93) at com.netscape.cmscore.ldap.PublisherProcessor.startup(PublisherProcessor.java:427) at com.netscape.cmscore.ldap.PublisherProcessor.init(PublisherProcessor.java:355) at com.netscape.ca.CertificateAuthority.initPublish(CertificateAuthority.java:1412) at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:328) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:859) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:788) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:312) at com.netscape.certsrv.apps.CMS.init(CMS.java:153) at com.netscape.certsrv.apps.CMS.start(CMS.java:1530) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4420) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4733) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:799) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:779) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:601) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1079) at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:1002) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:506) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1315) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:324) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1061) at org.apache.catalina.core.StandardHost.start(StandardHost.java:840) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463) at org.apache.catalina.core.StandardService.start(StandardService.java:525) at org.apache.catalina.core.StandardServer.start(StandardServer.java:754) at org.apache.catalina.startup.Catalina.start(Catalina.java:595) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) [13/Mar/2012:03:20:35][CertStatusUpdateThread]: getEntries: exception netscape.ldap.LDAPException: error result (32); matchedDN = o=ipaca [13/Mar/2012:03:20:35][main]: returnConn: mNumConns now 3 [13/Mar/2012:03:20:35][main]: RequestRepository: obj is NOT instanceof RepositoryRecord [13/Mar/2012:03:20:35][main]: RequestRepository: getPublishingStatus mBaseDN: ou=ca,ou=requests,o=ipaca status: null This message is a reminder that Fedora 16 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 16. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '16'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 16's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 16 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. |