Bug 1195339
| Summary: | ipa-client-install changes the label on various files which causes SELinux denials | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Patrik Kis <pkis> | ||||||
| Component: | ipa | Assignee: | Pavel Picka <ppicka> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 7.1 | CC: | jcholast, lvrabec, mbasti, mgrepl, mmalik, plautrba, ppicka, pvoborni, pvrabec, rcritten, ssekidde | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | ipa-4.2.0-4.el7 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2015-11-19 12:01:34 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
The /etc/krb5.conf file is obviously mislabeled, but the question which process mislabeled it:
----
time->Fri Feb 20 14:54:26 2015
type=SYSCALL msg=audit(1424440466.677:692): arch=c000003e syscall=21 success=no exit=-13 a0=7fb175c03338 a1=4 a2=10 a3=fffffffffffff558 items=0 ppid=15957 pid=15958 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1424440466.677:692): avc: denied { read } for pid=15958 comm="sssd_be" name="krb5.conf" dev="dm-0" ino=203775716 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:realmd_var_lib_t:s0 tclass=file
----
time->Fri Feb 20 14:54:26 2015
type=SYSCALL msg=audit(1424440466.677:693): arch=c000003e syscall=4 success=no exit=-13 a0=7fb175c2c4a8 a1=7fffb8a58000 a2=7fffb8a58000 a3=0 items=0 ppid=15957 pid=15958 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1424440466.677:693): avc: denied { getattr } for pid=15958 comm="sssd_be" path="/etc/krb5.conf" dev="dm-0" ino=203775716 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:realmd_var_lib_t:s0 tclass=file
----
# matchpathcon /etc/krb5.conf
/etc/krb5.conf system_u:object_r:krb5_conf_t:s0
#
Created attachment 994637 [details]
audit messages produced by special policy module
Here are some more details:
The issue is caused by /usr/sbin/ipa-client-install when the machine is unenrolled from IPA domain. But the AVC appears only from time to time, when other process tries to access the affected file.
Other configuration files are affected too, like ntp.conf, /etc/nsswitch.conf
type=SYSCALL msg=audit(1424767029.770:127906): arch=c000003e syscall=82 success=yes exit=0 a0=1b1dd70 a1=146a5a0 a2=7
f6c3d729f88 a3=fffffff0 items=5 ppid=23379 pid=24565 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-
s0:c0.c1023 key=(null)
type=CWD msg=audit(1424767029.770:127906): cwd="/"
type=PATH msg=audit(1424767029.770:127906): item=0 name="/var/lib/ipa-client/sysrestore/" inode=68984173 dev=fd:00 mo
de=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:realmd_var_lib_t:s0 objtype=PARENT
type=PATH msg=audit(1424767029.770:127906): item=1 name="/etc/" inode=134309313 dev=fd:00 mode=040755 ouid=0 ogid=0 r
dev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT
type=PATH msg=audit(1424767029.770:127906): item=2 name="/var/lib/ipa-client/sysrestore/5b26b063fa2d52ce-krb5.conf" i
node=68893890 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:realmd_var_lib_t:s0 objtype=DELET
E
type=PATH msg=audit(1424767029.770:127906): item=3 name="/etc/krb5.conf" inode=137256515 dev=fd:00 mode=0100644 ouid=
0 ogid=0 rdev=00:00 obj=system_u:object_r:krb5_conf_t:s0 objtype=DELETE
type=PATH msg=audit(1424767029.770:127906): item=4 name="/etc/krb5.conf" inode=68893890 dev=fd:00 mode=0100644 ouid=0
ogid=0 rdev=00:00 obj=system_u:object_r:realmd_var_lib_t:s0 objtype=CREATE
type=AVC msg=audit(1424767029.772:127907): avc: denied { read } for pid=24738 comm="sssd_be" name="krb5.conf" dev=
"dm-0" ino=68893890 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:realmd_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1424767029.772:127907): arch=c000003e syscall=21 success=no exit=-13 a0=7f7234b4c388 a1=4 a2=e
a3=12 items=1 ppid=24737 pid=24738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none
) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
type=CWD msg=audit(1424767029.772:127907): cwd="/"
type=PATH msg=audit(1424767029.772:127907): item=0 name="/etc/krb5.conf" inode=68893890 dev=fd:00 mode=0100644 ouid=0
ogid=0 rdev=00:00 obj=system_u:object_r:realmd_var_lib_t:s0 objtype=NORMAL
type=AVC msg=audit(1424767029.772:127908): avc: denied { getattr } for pid=24738 comm="sssd_be" path="/etc/krb5.co
nf" dev="dm-0" ino=68893890 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:realmd_var_lib_t:s0 tclas
s=file
type=SYSCALL msg=audit(1424767029.772:127908): arch=c000003e syscall=4 success=no exit=-13 a0=7f7234b751d8 a1=7fff772
ca2b0 a2=7fff772ca2b0 a3=0 items=1 ppid=24737 pid=24738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid
=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0
key=(null)
type=CWD msg=audit(1424767029.772:127908): cwd="/"
type=PATH msg=audit(1424767029.772:127908): item=0 name="/etc/krb5.conf" inode=68893890 dev=fd:00 mode=0100644 ouid=0
ogid=0 rdev=00:00 obj=system_u:object_r:realmd_var_lib_t:s0 objtype=NORMAL
type=AVC msg=audit(1424767029.772:127909): avc: denied { read } for pid=24738 comm="sssd_be" name="krb5.conf" dev=
"dm-0" ino=68893890 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:realmd_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1424767029.772:127909): arch=c000003e syscall=21 success=no exit=-13 a0=7f7234b4c388 a1=4 a2=e
a3=0 items=1 ppid=24737 pid=24738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
type=CWD msg=audit(1424767029.772:127909): cwd="/"
type=PATH msg=audit(1424767029.772:127909): item=0 name="/etc/krb5.conf" inode=68893890 dev=fd:00 mode=0100644 ouid=0
ogid=0 rdev=00:00 obj=system_u:object_r:realmd_var_lib_t:s0 objtype=NORMAL
type=AVC msg=audit(1424767029.772:127910): avc: denied { getattr } for pid=24738 comm="sssd_be" path="/etc/krb5.co
nf" dev="dm-0" ino=68893890 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:realmd_var_lib_t:s0 tclas
s=file
BTW the ipa-client-install program changes context of following files: /etc/krb5.conf /etc/nsswitch.conf /etc/ntp.conf /etc/ntp/step-tickers /etc/openldap/ldap.conf /etc/ssh/ssh_config /etc/ssh/sshd_config /etc/sssd/sssd.conf /etc/sssd/sssd.conf.bkp /etc/sysconfig/ntpd One more note to this bug report:
Currently /usr/sbin/ipa-client-install tries to restore the context after the file was moved, but sssd reads the file right between it was moved and the context was restored:
type=SYSCALL msg=audit(1424772873.772:129716): arch=c000003e syscall=82 success=yes exit=0 a0=139b670 a1=dc6710 a2=7f8bb3e57f88 a3=0 items=5 ppid=17957 pid=18828 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa-client-inst" exe="/usr/bin/python2.7" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key="KRB5.CONF"
type=CWD msg=audit(1424772873.772:129716): cwd="/"
type=PATH msg=audit(1424772873.772:129716): item=0 name="/var/lib/ipa-client/sysrestore/" inode=68984173 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:realmd_var_lib_t:s0 objtype=PARENT
type=PATH msg=audit(1424772873.772:129716): item=1 name="/etc/" inode=134309313 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT
type=PATH msg=audit(1424772873.772:129716): item=2 name="/var/lib/ipa-client/sysrestore/a34358ae23721cf6-krb5.conf" inode=68893893 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:realmd_var_lib_t:s0 objtype=DELETE
type=PATH msg=audit(1424772873.772:129716): item=3 name="/etc/krb5.conf" inode=136224343 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:krb5_conf_t:s0 objtype=DELETE
type=PATH msg=audit(1424772873.772:129716): item=4 name="/etc/krb5.conf" inode=68893893 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:realmd_var_lib_t:s0 objtype=CREATE
type=AVC msg=audit(1424772873.781:129717): avc: denied { read } for pid=19002 comm="sssd_be" name="krb5.conf" dev="dm-0" ino=68893893 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:realmd_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1424772873.781:129717): arch=c000003e syscall=21 success=no exit=-13 a0=7f55ea630b98 a1=4 a2=e a3=0 items=1 ppid=19001 pid=19002 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
type=CWD msg=audit(1424772873.781:129717): cwd="/"
type=PATH msg=audit(1424772873.781:129717): item=0 name="/etc/krb5.conf" inode=68893893 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:realmd_var_lib_t:s0 objtype=NORMAL
type=AVC msg=audit(1424772873.781:129718): avc: denied { getattr } for pid=19002 comm="sssd_be" path="/etc/krb5.conf" dev="dm-0" ino=68893893 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:realmd_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1424772873.781:129718): arch=c000003e syscall=4 success=no exit=-13 a0=7f55ea649b88 a1=7fff58ab6c80 a2=7fff58ab6c80 a3=0 items=1 ppid=19001 pid=19002 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
type=CWD msg=audit(1424772873.781:129718): cwd="/"
type=PATH msg=audit(1424772873.781:129718): item=0 name="/etc/krb5.conf" inode=68893893 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:realmd_var_lib_t:s0 objtype=NORMAL
type=SYSCALL msg=audit(1424772873.788:129719): arch=c000003e syscall=189 success=yes exit=0 a0=7f8287dea1c0 a1=7f8286eb077e a2=7f8287deb5e0 a3=21 items=1 ppid=18828 pid=19014 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:setfiles_t:s0-s0:c0.c1023 key="SET-EXTATTR"
type=CWD msg=audit(1424772873.788:129719): cwd="/"
type=PATH msg=audit(1424772873.788:129719): item=0 name="/etc/krb5.conf" inode=68893893 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:realmd_var_lib_t:s0 objtype=NORMAL
The issue appears when the machine was previously enrolled to an AD and IPA doamin too and then when ipa client is unistalled sssd suppose to keep running.
It probably could be fixed if the config files from backup weren't moved and then label restored, but copied. In that case a new file were created and with correct label, or if the original file exists, just the content is updated and no relabeling is needed.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4923 --uninstall fix: master: https://fedorahosted.org/freeipa/changeset/9f701283534745bf93b41a1886183e9ef1d06566 ipa-4-2: https://fedorahosted.org/freeipa/changeset/92a73e8b2a5f26744b036a36de4b9956e8883f61 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/45c709112da1514d57db46f9706bc03920574adf ipa-4-2: https://fedorahosted.org/freeipa/changeset/21d31224780d4e1e5e4371f12c5ebae6b4aca54f Created attachment 1078638 [details]
Verify log for bz
Verified
ipa-client-4.2.0-12.el7.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2362.html |
Description of problem: The following AVC debial appeared during testing: ---- time->Fri Feb 20 14:54:26 2015 type=SYSCALL msg=audit(1424440466.677:692): arch=c000003e syscall=21 success=no exit=-13 a0=7fb175c03338 a1=4 a2=10 a3=fffffffffffff558 items=0 ppid=15957 pid=15958 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null) type=AVC msg=audit(1424440466.677:692): avc: denied { read } for pid=15958 comm="sssd_be" name="krb5.conf" dev="dm-0" ino=203775716 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:realmd_var_lib_t:s0 tclass=file ---- time->Fri Feb 20 14:54:26 2015 type=SYSCALL msg=audit(1424440466.677:693): arch=c000003e syscall=4 success=no exit=-13 a0=7fb175c2c4a8 a1=7fffb8a58000 a2=7fffb8a58000 a3=0 items=0 ppid=15957 pid=15958 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null) type=AVC msg=audit(1424440466.677:693): avc: denied { getattr } for pid=15958 comm="sssd_be" pa The issue could not been reproduced. Not sure if anything can be done with it if there is no reproducer; feel free to close it, if the root cause can not be found. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-23.el7 sssd-1.12.2-58.el7 ipa-client-4.1.0-18.el7 How reproducible: appeared only once Some additional info: # semanage fcontext -l |grep realmd_var_lib_t /var/lib/ipa-client(/.*)? all files system_u:object_r:realmd_var_lib_t:s0 # rpm -qf /var/lib/ipa-client ipa-client-4.1.0-18.el7.s390x # ls -la /var/lib/ipa-client/ total 4 drwxr-xr-x. 3 root root 23 Feb 23 05:16 . drwxr-xr-x. 42 root root 4096 Feb 23 05:47 .. drwxr-xr-x. 2 root root 6 Jan 30 10:47 sysrestore # ls -la /var/lib/ipa-client/sysrestore/ # ls -la /var/lib/ipa-client/sysrestore/ total 0 drwxr-xr-x. 2 root root 6 Jan 30 10:47 . drwxr-xr-x. 3 root root 23 Feb 23 05:16 ..