Bug 1155329

Summary: SELinux is preventing named from create access on the file DNS_25 (during FreeIPA deployment via rolekit, F21 Beta TC4)
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: dwalsh, robatino, sgallagh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedBlocker
Fixed In Version: selinux-policy-3.13.1-90.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-28 21:49:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1043124    

Description Adam Williamson 2014-10-21 21:39:30 UTC 
This is another SELinux denial encountered when deploying FreeIPA via rolekit in Fedora 21 Beta TC4, following https://fedorahosted.org/rolekit/wiki/DomainController .

SELinux is preventing named from create access on the file DNS_25.
 
*****  Plugin catchall (100. confidence) suggests   **************************
 
If you believe that named should be allowed create access on the DNS_25 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep named /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
 
 
Additional Information:
Source Context                system_u:system_r:named_t:s0
Target Context                system_u:object_r:krb5_host_rcache_t:s0
Target Objects                DNS_25 [ file ]
Source                        named
Source Path                   named
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages          
Target RPM Packages          
Policy RPM                    selinux-policy-3.13.1-85.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     ipa001.domain.local
Platform                      Linux ipa001.domain.local 3.17.0-301.fc21.x86_64
                              #1 SMP Wed Oct 8 20:10:50 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-10-21 13:34:50 PDT
Last Seen                     2014-10-21 13:34:50 PDT
Local ID                      d6fce4df-a924-47d1-994f-57d618e54c80
 
Raw Audit Messages
type=AVC msg=audit(1413923690.828:576): avc:  denied  { create } for  pid=6344 comm="named" name="DNS_25" scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file permissive=1
 
 
Hash: named,named_t,krb5_host_rcache_t,file,create

there is a corresponding denial for { open }:

SELinux is preventing named from open access on the file /var/tmp/DNS_25.
 
*****  Plugin catchall (100. confidence) suggests   **************************
 
If you believe that named should be allowed open access on the DNS_25 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep named /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
 
 
Additional Information:
Source Context                system_u:system_r:named_t:s0
Target Context                system_u:object_r:krb5_host_rcache_t:s0
Target Objects                /var/tmp/DNS_25 [ file ]
Source                        named
Source Path                   named
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages          
Target RPM Packages          
Policy RPM                    selinux-policy-3.13.1-85.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     ipa001.domain.local
Platform                      Linux ipa001.domain.local 3.17.0-301.fc21.x86_64
                              #1 SMP Wed Oct 8 20:10:50 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-10-21 13:34:50 PDT
Last Seen                     2014-10-21 13:34:50 PDT
Local ID                      a17f4b50-0a77-4be7-aa2f-5dc1c91524f2
 
Raw Audit Messages
type=AVC msg=audit(1413923690.829:577): avc:  denied  { open } for  pid=6344 comm="named" path="/var/tmp/DNS_25" dev="dm-2" ino=271063 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file permissive=1
 
 
Hash: named,named_t,krb5_host_rcache_t,file,open

This denial occurs very close in time to the one from #1155304, and the relevant journal snippet is about the same:

Oct 21 13:34:45 ipa001.domain.local roled[3817]: 2014-10-21 13:34:45 ERROR: ipa         : DEBUG    args='/usr/sbin/ipa-client-install' '--on-master' '--unattended' '--domain' 'domain.local' '--server' 'ipa001.domain.local' '--realm' 'DOMAIN.LOCAL' '--hostname' 'ipa001.domain.local'
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00000000 utils.c:87:GetDaemonPid() Can't open /var/run/pcscd/pcscd.pid: No such file or directory
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00027921 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00003571 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00003844 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00003981 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00057417 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00003654 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00005025 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00006426 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00004724 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00004551 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00005456 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00004838 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:49 ipa001.domain.local httpd[6377]: GSSAPI client step 1
Oct 21 13:34:49 ipa001.domain.local httpd[6377]: GSSAPI client step 1
Oct 21 13:34:49 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 1
Oct 21 13:34:49 ipa001.domain.local httpd[6377]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 2
Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 2
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 3
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 01913391 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00007573 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00006100 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00005847 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00005779 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local httpd[6376]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local httpd[6376]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 1
Oct 21 13:34:50 ipa001.domain.local httpd[6376]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 2
Oct 21 13:34:50 ipa001.domain.local httpd[6376]: GSSAPI client step 2
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 3
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00081112 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00004950 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00004485 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00004236 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00004164 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 1
Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 2
Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 2
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 3
Oct 21 13:34:51 ipa001.domain.local kernel: traps: nsupdate[6430] trap stack segment ip:7f4f28fbb64f sp:7f4f246fe0d0 error:0
Oct 21 13:34:52 ipa001.domain.local abrt-hook-ccpp[6431]: Saved core dump of pid 6427 (/usr/bin/nsupdate) to /var/tmp/abrt/ccpp-2014-10-21-13:34:51-6427 (44654592 bytes)
Oct 21 13:34:53 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/tog-pegasus.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
Oct 21 13:34:53 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/man-db.service is marked executable. Please remove executable permission bits. Proceeding anyway.
Oct 21 13:34:54 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/pki-tomcatd.target is marked executable. Please remove executable permission bits. Proceeding anyway.
Oct 21 13:34:54 ipa001.domain.local abrt-server[6433]: Generating core_backtrace
Oct 21 13:34:54 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/tog-pegasus.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
Oct 21 13:34:54 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/man-db.service is marked executable. Please remove executable permission bits. Proceeding anyway.
Oct 21 13:34:54 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/pki-tomcatd.target is marked executable. Please remove executable permission bits. Proceeding anyway.
Oct 21 13:34:55 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
Oct 21 13:34:55 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/man-db.timer is marked executable. Please remove executable permission bits. Proceeding anyway.
Oct 21 13:34:55 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/man-db.service is marked executable. Please remove executable permission bits. Proceeding anyway.
Oct 21 13:34:55 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/pki-tomcatd.target is marked executable. Please remove executable permission bits. Proceeding anyway.
Oct 21 13:34:55 ipa001.domain.local systemd[1]: Configuration file /lib/systemd/system/pki-tomcatd@.service is marked executable. Please remove executable permission bits. Proceeding anyway.
Oct 21 13:34:55 ipa001.domain.local systemd[1]: Failed to reset devices.list on /system.slice: Invalid argument
Oct 21 13:34:55 ipa001.domain.local sssd[6521]: Starting up

I'm not sure of the exact consequences of this denial: I hit it in Permissive mode, and can't test in Enforcing because the deployment will fail earlier due to #1155301 . Nominating as a Beta blocker on the possibility that it may cause deployment to fail:

"Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully started, stopped, brought to a working configuration, and queried."

https://fedoraproject.org/wiki/Fedora_21_Beta_Release_Criteria#Roles
Comment 1 Adam Williamson 2014-10-22 17:33:47 UTC 
Discussed at 2014-10-22 blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2014-10-22/f21-blocker-review.2014-10-22-16.03.log.txt . Accepted as a blocker per cited criterion - though it's hard to be sure if this actually prevents deployment since there are other selinux bugs 'in front' of it. We can re-vote if those are fixed and it turns out this one is only trivial.
Comment 2 Miroslav Grepl 2014-10-22 18:10:34 UTC 
commit 21ad46cb843b032a756abd464ea7de1126f1e8f1
Author: Miroslav Grepl <mgrepl>
Date:   Wed Oct 22 20:09:24 2014 +0200

    Allow named to read /var/tmp/DNS_25 labeled as krb5_host_rcache_t.
Comment 3 Fedora Update System 2014-10-22 22:01:29 UTC 
selinux-policy-3.13.1-90.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/FEDORA-2014-13454/selinux-policy-3.13.1-90.fc21
Comment 4 Fedora Update System 2014-10-23 16:20:50 UTC 
Package selinux-policy-3.13.1-90.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-90.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-13454/selinux-policy-3.13.1-90.fc21
then log in and leave karma (feedback).
Comment 5 Adam Williamson 2014-10-27 18:15:50 UTC 
sgallagh reported success in verifying the fix with Beta RC1: marking as VERIFIED.
Comment 6 Fedora Update System 2014-10-28 21:49:46 UTC 
selinux-policy-3.13.1-90.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.