Bug 1127211

Summary: ipa-server-install --uninstall produces avc
Product: Red Hat Enterprise Linux 6 Reporter: David Spurek <dspurek>
Component: ipaAssignee: Pavel Picka <ppicka>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.5CC: dpal, ebenes, ksiddiqu, mbasti, mgrepl, pkis, ppicka, pvoborni, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.0.0-49.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-11 00:07:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
evidence none

Description David Spurek 2014-08-06 12:00:32 UTC
Description of problem:
ipa-server-install --uninstall --unattended produces avc

type=PATH msg=audit(1407325419.347:1424): item=0 name="/etc/resolv.conf" inode=2225697 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=NORMAL
type=CWD msg=audit(1407325419.347:1424):  cwd="/"
type=SYSCALL msg=audit(1407325419.347:1424): arch=c000003e syscall=2 success=no exit=-13 a0=7f148bfb685a a1=0 a2=1b6 a3=2 items=1 ppid=1 pid=1300 auid=0 uid=28 gid=28 euid=28 suid=28 fsuid=28 egid=28 sgid=28 fsgid=28 tty=(none) ses=97 comm="nscd" exe="/usr/sbin/nscd" subj=unconfined_u:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1407325419.347:1424): avc:  denied  { read } for  pid=1300 comm="nscd" name="resolv.conf" dev=dm-0 ino=2225697 scontext=unconfined_u:system_r:nscd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file


Version-Release number of selected component (if applicable):
ipa-server-3.0.0-42.el6
selinux-policy-3.7.19-247.el6

How reproducible:
always

Steps to Reproduce:
1.install nscd package
2.install ipa-server
3.nscd service is stopped
4.ipa-server-install --uninstall

Actual results:
'ipa-server-install --uninstall' starts nscd service and then avc appears during unconfiguring named and web server

Expected results:
no avc

Additional info:

Comment 2 Rob Crittenden 2014-08-06 16:20:01 UTC
Your steps are incomplete. I assume you are configuring IPA with DNS? What are the exact options you are passing to the installer.

Are you sure this is a regression?

I have the feeling the SELinux context isn't being restored for /etc/resolv.conf. What is the context before installation, after installation and after uninstall?

Comment 3 David Spurek 2014-08-06 16:44:09 UTC
selinux context of /etc/resolv.conf is the same before and after installation, I checked it.

ls -lZ /etc/resolv.conf 
-rw-r--r--. root root system_u:object_r:net_conf_t:s0  /etc/resolv.conf

Maybe its context is changed for a while and restored immediately with restorecon, I don't know.

I am quite sure that this is a regression, I didn't see this avc with rhel 6.5.
I may check it.

I don't configure IPA with DNS (if dns still isn't default option). I use following command:
ipa-server-install --hostname=`hostname` -r "TESTREALM" -n `hostname -d` -p "Secret123" -P "Secret123" -a "Secret123" --unattended --ip-address `hostname -I`

Comment 4 Martin Kosek 2014-08-07 07:41:30 UTC
(In reply to David Spurek from comment #3)
...
> I am quite sure that this is a regression, I didn't see this avc with rhel
> 6.5.
> I may check it.

Please do. The uninstall part did not change in RHEL-6.6, maybe nscd changed.

My best bet is that nscd has an INOTIFY enabled on the resolv.conf after being started in "Removing IPA client configuration". When resolv.conf is then being restored from /var/lib/ipa/... (note the SELinux context var_lib_t) in "Unconfiguring named", nscd tries to read resolv.conf before it's context is restored as a next step:

# restorecon -Fvv /etc/resolv.conf
restorecon reset /etc/resolv.conf context unconfined_u:object_r:net_conf_t:s0->system_u:object_r:net_conf_t:s0

# ipa-server-install --uninstall --unattended
Shutting down all IPA services
Removing IPA client configuration
Unconfiguring ntpd
Unconfiguring CA directory server
Unconfiguring CA
Unconfiguring named
Unconfiguring web server
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
Unconfiguring ipa_memcached

# ausearch -m AVC -ts today
----
time->Thu Aug  7 03:01:29 2014
type=SYSCALL msg=audit(1407394889.954:923): arch=c000003e syscall=2 success=no exit=-13 a0=7f4be83b985a a1=0 a2=1b6 a3=2 items=0 ppid=1 pid=3825 auid=0 uid=28 gid=28 euid=28 suid=28 fsuid=28 egid=28 sgid=28 fsgid=28 tty=(none) ses=89 comm="nscd" exe="/usr/sbin/nscd" subj=unconfined_u:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1407394889.954:923): avc:  denied  { read } for  pid=3825 comm="nscd" name="resolv.conf" dev=dm-1 ino=141639 scontext=unconfined_u:system_r:nscd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
----
time->Thu Aug  7 03:01:29 2014
type=SYSCALL msg=audit(1407394889.954:924): arch=c000003e syscall=2 success=no exit=-13 a0=7f4be83b985a a1=0 a2=1b6 a3=2 items=0 ppid=1 pid=3825 auid=0 uid=28 gid=28 euid=28 suid=28 fsuid=28 egid=28 sgid=28 fsgid=28 tty=(none) ses=89 comm="nscd" exe="/usr/sbin/nscd" subj=unconfined_u:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(1407394889.954:924): avc:  denied  { read } for  pid=3825 comm="nscd" name="resolv.conf" dev=dm-1 ino=141639 scontext=unconfined_u:system_r:nscd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

# ls -lZ /etc/resolv.conf
-rw-r--r--. root root unconfined_u:object_r:net_conf_t:s0 /etc/resolv.conf

The AVCs seem to be benign though:

# service nscd status
nscd (pid 3825) is running...

Comment 5 David Spurek 2014-08-07 13:30:31 UTC
Update for comment#3, you are right Rob, I am using setup with DNS:
ipa-server-install --hostname=`hostname` -r "TESTREALM" -n `hostname -d` -p "Secret123" -P "Secret123" -a "Secret123" --unattended --ip-address `hostname -I` --setup-dns --no-forwarders

I tried downgrade ipa-server to ipa-server-3.0.0-37.el6 and I see avcs either.
So probably other component is changed.

Comment 6 Dmitri Pal 2014-08-07 13:44:02 UTC
So if this is not a regression should it be reassigned to some other package?

Comment 7 Martin Kosek 2014-08-07 13:52:17 UTC
It may still be a regression, just not caused by IPA package.

David, what leads you to Regression keyword then? Did you try to downgrade selinux-policy and nscd package to RHEL-6.5 variants and saw that the AVC goes away? If this is the case and we know what package caused it, we have our villain.

Comment 8 David Spurek 2014-08-08 05:14:56 UTC
Yes, it should be reassigned to other package but I have to determine which package.

I added Regression keyword because I haven't seen these avcs on rhel 6.5 system so some package has to be changed. I tried downgrade authconfig but it is ok.
selinux-policy and nscd are next candidates, I will check it.

Comment 9 David Spurek 2014-08-08 09:47:18 UTC
I downgraded nscd, glibc, bind, selinux-policy. I still see avcs.
I don't know what 'Unconfiguring named' part of uninstall script do.
Do you have any other hints what packages can I try downgrade?

Comment 10 Martin Kosek 2014-08-08 12:38:57 UTC
Hm, to me, these packages seems as the most of the packages involved in the process. Are you sure that AVCs cannot be seen in this scenario when tested on a 6.5 snapshot?

(In reply to David Spurek from comment #9)
> I don't know what 'Unconfiguring named' part of uninstall script do.

'Unconfiguring named' restores /etc/named.conf and /etc/resolv.conf from a backup in /var/lib/ipa/... and restores their SELinux context afterwards. Check ipaserver-uninstall.log for details.

It also stops and disables named.service.

Comment 11 David Spurek 2014-08-08 14:35:58 UTC
I tried this issue on rhel 6.5 and I still see the avcs. Unfortunately I didn't see this messages before so I expected this a 'Regression'. Sorry for the confusion.

Comment 13 Martin Kosek 2014-08-11 13:42:53 UTC
Ok, thanks. I wonder thought what is the proper way to fix it.

This is the task:
- we have a back up of resolv.conf in /var/lib/... with var_lib_t context
- we want to restore it to /etc/resolv.conf and restore the SELinux context as well
- we seem to need to do that atomically because programs like nscd can have INOTIFY on that file and touch it between move and context restoration steps.

CCing Mirek to advise.

Comment 15 Martin Kosek 2014-09-24 10:57:00 UTC
Mirek, any help on this one (see Comment 13)? Is this something solvable or should we just close as CANTFIX?

Comment 16 Miroslav Grepl 2014-09-24 11:25:33 UTC
Is ipa-server-install running as unconfined_t? Do you just move it form /var/lib to /etc using "mv"?

Comment 17 Martin Kosek 2014-09-24 11:41:00 UTC
(In reply to Miroslav Grepl from comment #16)
> Is ipa-server-install running as unconfined_t?

Yes:

# ps axZ
...
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5163 pts/2 S+   0:00 /usr/bin/python -E /usr/sbin/ipa-server-install

> Do you just move it form
> /var/lib to /etc using "mv"?

Yes - by mv (well, Python variant of it) and then restorecon.

Comment 18 Miroslav Grepl 2014-10-03 12:27:15 UTC
The point is we could run "mv -Z".

Comment 19 Martin Kosek 2014-10-03 13:13:23 UTC
If this would be an atomic, INOTIFY proof operation, it could work.

However, my mv (coreutils-8.21-21.fc20.x86_64) does not have any -Z option:

# mv -Z /var/lib/ipa/sysrestore/58ef664b3f90b963-resolv.conf /etc/resolv.conf
mv: invalid option -- 'Z'
Try 'mv --help' for more information.

Comment 20 Miroslav Grepl 2014-10-13 13:48:58 UTC
It is by default in F21.

Comment 24 Petr Vobornik 2015-03-17 11:37:16 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4923

Comment 25 Petr Vobornik 2015-03-17 11:39:49 UTC
related RHEL7 bug: 1195339

Comment 28 Pavel Picka 2016-02-22 19:12:02 UTC
Created attachment 1129468 [details]
evidence

Verified

3.0.0-50.el6

Comment 30 errata-xmlrpc 2016-05-11 00:07:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0874.html