Bug 1117739
Summary: | Lots of avc denial messages while installing IPA Server | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Kaleem <ksiddiqu> | ||||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 6.6 | CC: | alee, dwalsh, jcholast, ksiddiqu, mgrepl, mkosek, mmalik, nalin, rcritten, rmainz | ||||||
Target Milestone: | rc | Keywords: | Reopened | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | selinux-policy-3.7.19-247.el6 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | |||||||||
: | 1123811 (view as bug list) | Environment: | |||||||
Last Closed: | 2014-10-14 08:03:23 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 1123811 | ||||||||
Attachments: |
|
Description
Kaleem
2014-07-09 09:49:34 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4438 Can this be an intermittent SELinux policy/labeling error? (CCing Mirek for reference) I now tested on my 6.6 instance and there were no AVC after installation: # rpm -q selinux-policy ipa-server selinux-policy-3.7.19-244.el6.noarch ipa-server-3.0.0-42.el6.x86_64 # getenforce Enforcing # ipa-server-install -p Secret123 -a Secret123 --setup-dns --forwarder 10.0.0.1 ... # ausearch -m avc -ts today <no matches> Would running the test again on a up to date system change the outcome? ================================================================================ With selinux-policy-3.7.19-241.el6.noarch: ================================================================================ [root@rhel66-master ~]# ausearch -m avc -ts today|audit2allow #============= certmonger_t ============== #!!!! The source type 'certmonger_t' can write to a 'dir' of the following types: # cert_t, mnt_t, pki_tks_cert_t, pki_ocsp_cert_t, dirsrv_config_t, var_lib_t, var_run_t, pki_ca_cert_t, pki_kra_cert_t, certmonger_var_lib_t, certmonger_var_run_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t allow certmonger_t tmp_t:dir write; allow certmonger_t tmpfs_t:dir search; #============= chkpwd_t ============== #!!!! The source type 'chkpwd_t' can write to a 'dir' of the following type: # mnt_t allow chkpwd_t tmp_t:dir write; #============= dirsrv_t ============== allow dirsrv_t lib_t:file relabelto; #============= httpd_t ============== allow httpd_t httpd_tmp_t:file relabelfrom; #============= kadmind_t ============== allow kadmind_t kadmind_tmp_t:file relabelfrom; #============= krb5kdc_t ============== allow krb5kdc_t krb5kdc_tmp_t:file relabelfrom; #============= named_t ============== allow named_t named_tmp_t:file relabelfrom; #============= nscd_t ============== allow nscd_t var_lib_t:file read; #============= pki_ca_t ============== allow pki_ca_t tmp_t:file relabelfrom; #============= postfix_pickup_t ============== allow postfix_pickup_t postfix_pickup_tmp_t:file relabelfrom; #============= prelink_t ============== allow prelink_t initrc_t:fifo_file setattr; allow prelink_t system_cronjob_t:fifo_file setattr; #============= sshd_t ============== allow sshd_t lib_t:file relabelto; #============= sssd_t ============== allow sssd_t lib_t:file relabelto; [root@rhel66-master ~]# [root@rhel66-master ~]# rpm -q ipa-server selinux-policy ipa-server-3.0.0-42.el6.x86_64 selinux-policy-3.7.19-241.el6.noarch [root@rhel66-master ~]# ================================================================================ With selinux-policy-3.7.19-244.el6.noarch: ================================================================================ [root@rhel66-master ~]# ausearch -m avc -ts today|audit2allow #============= prelink_mask_t ============== allow prelink_mask_t anon_inodefs_t:file { read write }; allow prelink_mask_t dirsrv_var_log_t:file append; allow prelink_mask_t httpd_tmp_t:file write; allow prelink_mask_t inotifyfs_t:dir read; allow prelink_mask_t sssd_var_log_t:file append; allow prelink_mask_t tmp_t:file relabelfrom; allow prelink_mask_t user_devpts_t:chr_file { read write }; #============= prelink_t ============== allow prelink_t initrc_t:fifo_file setattr; [root@rhel66-master ~]# [root@rhel66-master ~]# rpm -q ipa-server selinux-policy ipa-server-3.0.0-42.el6.x86_64 selinux-policy-3.7.19-244.el6.noarch [root@rhel66-master ~]# Thanks. I see number of AVCs got lower, but there are still some. I will change component to selinux-policy to let Mirek evaluate the bug. Could you please attach raw AVC msgs? Also selinux-policy-3.7.19-244.el6.noarch is a release for testing. Created attachment 919608 [details]
audit log
Today, I tested ipa--server-install with selinux-policy-3.7.19-245.el6.noarch I saw only these 2 AVCs: # ipa-server-install # ausearch -m avc -ts today ---- time->Tue Jul 22 22:07:23 2014 type=SYSCALL msg=audit(1406081243.019:3131): arch=c000003e syscall=4 success=no exit=-13 a0=7f25901d1f80 a1=7f2599095e20 a2=7f2599095e20 a3=18 items=0 ppid=1 pid=20308 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=469 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null) type=AVC msg=audit(1406081243.019:3131): avc: denied { search } for pid=20308 comm="java" name="tomcat6" dev=dm-1 ino=138875 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:tomcat_cache_t:s0 tclass=dir ---- time->Tue Jul 22 22:08:34 2014 type=SYSCALL msg=audit(1406081314.224:3140): arch=c000003e syscall=4 success=no exit=-13 a0=7f04dc1d1be0 a1=7f04e4bfce20 a2=7f04e4bfce20 a3=18 items=0 ppid=1 pid=20768 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=469 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null) type=AVC msg=audit(1406081314.224:3140): avc: denied { search } for pid=20768 comm="java" name="tomcat6" dev=dm-1 ino=138875 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:tomcat_cache_t:s0 tclass=dir # ausearch -m avc -ts today | audit2allow #============= pki_ca_t ============== allow pki_ca_t tomcat_cache_t:dir search; # ausearch -m avc -ts today Ade, doesn't it also require a fix in PKI SELinux policy? I think we discussed it lately as well. One of our TCs triggers the same AVC as mentioned in comment#9: ---- time->Tue Jul 22 19:22:17 2014 type=PATH msg=audit(1406049737.747:722): item=0 name="/var/cache/tomcat6/temp" inode=132332 dev=fd:00 mode=040775 ouid=0 ogid=91 rdev=00:00 obj=system_u:object_r:tomcat_cache_t:s0 nametype=NORMAL type=CWD msg=audit(1406049737.747:722): cwd="/var/lib" type=SYSCALL msg=audit(1406049737.747:722): arch=40000003 syscall=195 success=no exit=-13 a0=6c34ee80 a1=b77699d0 a2=c96ff4 a3=b7606928 items=1 ppid=1 pid=11580 auid=4294967295 uid=487 gid=485 euid=487 suid=487 fsuid=487 egid=485 sgid=485 fsgid=485 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null) type=AVC msg=audit(1406049737.747:722): avc: denied { search } for pid=11580 comm="java" name="tomcat6" dev=dm-0 ino=132332 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:tomcat_cache_t:s0 tclass=dir ---- Hi Martin, Yes this AVC must be fixed in pki-selinux package, we don't ship this policy in rhel6. Ok, I will clone this Bugzilla also for PKI. Thank you! *** This bug has been marked as a duplicate of bug 1103674 *** I investigated FreeIPA in a more advanced workflow (with selinux-policy-3.7.19-246.el6.noarch) and found additional AVCs. This happens only in a certificate renewal operation on a FreeIPA/PKI replica, after the certificate is renewed on FreeIPA/PKI master server: # getcert resubmit -i 20140728233924 Resubmitting "20140728233924" to "dogtag-ipa-retrieve-agent-submit". # getcert list -n 'subsystemCert cert-pki-ca' Number of certificates and requests being tracked: 8. Request ID '20140728233924': status: PRE_SAVE_CERT stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='497572453013' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-retrieve-agent-submit issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM subject: CN=CA Subsystem,O=IDM.LAB.BOS.REDHAT.COM expires: 2016-07-17 22:35:41 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "subsystemCert cert-pki-ca" track: yes auto-renew: yes # getcert list -n 'subsystemCert cert-pki-ca' Number of certificates and requests being tracked: 8. Request ID '20140728233924': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='497572453013' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-retrieve-agent-submit issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM subject: CN=CA Subsystem,O=IDM.LAB.BOS.REDHAT.COM expires: 2016-07-18 22:16:33 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "subsystemCert cert-pki-ca" track: yes auto-renew: yes The operation only succeeded because I had SELinux in permissive mode. # cat /var/log/audit/audit.log | audit2allow #============= certmonger_t ============== #!!!! The source type 'certmonger_t' can write to a 'file' of the following types: # dirsrv_config_t, certmonger_var_lib_t, certmonger_var_run_t, cert_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t allow certmonger_t var_run_t:file { setattr read lock create write getattr unlink open }; #============= pki_ca_t ============== allow pki_ca_t tomcat_cache_t:dir { search getattr }; Jan, do you know what is the difference? Why does certmonger needs to access var_run_t while on the server it does not? No idea. Could you please retry in enforcing mode? I see certmonger is working with a /var/run/certmonger/tmp-DLg2kv/ccache and SELinux does not like it: type=AVC msg=audit(1406678726.742:280): avc: denied { getattr } for pid=3544 comm="dogtag-ipa-retr" path="/var/run/certmonger/tmp-DLg2kv/ccache" dev=dm-1 ino=140171 scontext=unconfined_u:system_r: certmonger_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file CCing Nalin for reference. This looks like a place where certmonger works with the CCACHE, I assume it should be allowed or have an own context. I will attach whole audit.log from my FreeIPA PKI clone renewal testing. Created attachment 922154 [details]
audit.log reporting certmonger_t AVC on FreeIPA replica
What does # rpm -qf /var/run/certmonger We don't have a label for the dir in the policy. # rpm -qf /var/run/certmonger certmonger-0.75.8-1.el6.x86_64 (In reply to Martin Kosek from comment #17) > I see certmonger is working with a /var/run/certmonger/tmp-DLg2kv/ccache and > SELinux does not like it: > > type=AVC msg=audit(1406678726.742:280): avc: denied { getattr } for > pid=3544 comm="dogtag-ipa-retr" > path="/var/run/certmonger/tmp-DLg2kv/ccache" dev=dm-1 ino=140171 > scontext=unconfined_u:system_r: certmonger_t:s0 > tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file > > CCing Nalin for reference. This looks like a place where certmonger works > with the CCACHE, I assume it should be allowed or have an own context. I > will attach whole audit.log from my FreeIPA PKI clone renewal testing. It looks like dogtag-ipa-retrieve-agent-submit is creating a cache for its use under $TMPDIR, which certmonger sets to /var/run/certmonger. It could use an in-memory cache (type "MEMORY" instead of type "FILE") and save itself the work of cleaning up the cache when it's done. Ah, I see: ./install/certmonger/dogtag-ipa-retrieve-agent-submit: ... # Update or add it tmpdir = tempfile.mkdtemp(prefix = "tmp-") try: ... ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal) ... finally: shutil.rmtree(tmpdir) Jan, can we change it to MEMORY CCACHE? This is apparently IPA specific operation, so I do not think we need to add this rule to global SELinux policy. If yes, I will move this to IPA component and get the ACKs. We could, but IMO /var/run/certmonger should be labelled correctly as certmonger_var_run_t anyway, since it is in fact owned by certmonger, right? Someone might use their own CA helper and/or pre-/post-save scripts which creates temporary files and end up in the same situation. True, both approaches would work for me. Mirek, I will leave that up you if you are OK adding new context for certmonger and thus enable other potential scripting for certmonger. commit ec004f7709aea4ee2aa5f75a7a6626cc39f41fea Author: Miroslav Grepl <mgrepl> Date: Tue Jul 29 15:58:39 2014 +0200 Fix labaling for /var/run/certmonger. Yes. The fix is a part of this release. Great, it works: # rpm -q selinux-policy selinux-policy-3.7.19-247.el6.noarch # ls -laZ /var/run/certmonger drwxr-xr-x. root root system_u:object_r:certmonger_var_run_t:s0 . drwxr-xr-x. root root system_u:object_r:var_run_t:s0 .. drwx------. root root unconfined_u:object_r:certmonger_var_run_t:s0 .config drwx------. root root unconfined_u:object_r:certmonger_var_run_t:s0 .ipa drwx------. root root unconfined_u:object_r:certmonger_var_run_t:s0 .pki This bug is therefore fixed and only the Bug 1123811 (pki-core) remains. # rpm -qa selinux-policy\* selinux-policy-targeted-3.7.19-247.el6.noarch selinux-policy-3.7.19-247.el6.noarch # ---- time->Fri Aug 1 11:14:53 2014 type=PATH msg=audit(1406884493.073:117): item=0 name="/var/cache/tomcat6/temp" inode=2093647 dev=fd:00 mode=040775 ouid=0 ogid=91 rdev=00:00 obj=system_u:object_r:tomcat_cache_t:s0 nametype=NORMAL type=CWD msg=audit(1406884493.073:117): cwd="/var/lib" type=SYSCALL msg=audit(1406884493.073:117): arch=c000003e syscall=4 success=no exit=-13 a0=7f4e301a6570 a1=7f4e35fb0e20 a2=7f4e35fb0e20 a3=18 items=1 ppid=1 pid=3937 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null) type=AVC msg=audit(1406884493.073:117): avc: denied { search } for pid=3937 comm="java" name="tomcat6" dev=dm-0 ino=2093647 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:tomcat_cache_t:s0 tclass=dir ---- The same automated TC, the same machine, but in permissive mode: ---- time->Fri Aug 1 11:34:56 2014 type=PATH msg=audit(1406885696.891:163): item=0 name="/var/cache/tomcat6/temp" inode=2093649 dev=fd:00 mode=040775 ouid=0 ogid=91 rdev=00:00 obj=system_u:object_r:tomcat_cache_t:s0 nametype=NORMAL type=CWD msg=audit(1406885696.891:163): cwd="/var/lib" type=SYSCALL msg=audit(1406885696.891:163): arch=c000003e syscall=4 success=yes exit=0 a0=7f8c941e2080 a1=7f8c98a57e20 a2=7f8c98a57e20 a3=18 items=1 ppid=1 pid=9317 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null) type=AVC msg=audit(1406885696.891:163): avc: denied { getattr } for pid=9317 comm="java" path="/var/cache/tomcat6/temp" dev=dm-0 ino=2093649 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:tomcat_cache_t:s0 tclass=dir type=AVC msg=audit(1406885696.891:163): avc: denied { search } for pid=9317 comm="java" name="tomcat6" dev=dm-0 ino=2093647 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:tomcat_cache_t:s0 tclass=dir ---- These AVCs are being fixed in Bug 1123811 (as the problem is not in system SELinux policy). Current development build of pki-core I tested removed them both. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1568.html |