Bug 1222903
Summary: | [SELinux] AVC denials may appear when kadmind starts | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Patrik Kis <pkis> | ||||
Component: | krb5 | Assignee: | Robbie Harwood <rharwood> | ||||
Status: | CLOSED ERRATA | QA Contact: | Patrik Kis <pkis> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 7.2 | CC: | dpal, jpazdziora, mkosek, pkis | ||||
Target Milestone: | rc | Keywords: | Regression | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | krb5-1.13.2-3.el7 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 1227542 (view as bug list) | Environment: | |||||
Last Closed: | 2015-11-19 05:13:44 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1203889 | ||||||
Attachments: |
|
Description
Patrik Kis
2015-05-19 12:15:04 UTC
Mine... all Mine... ... taking bug myself... ... question: pkis: Shouldn't this be fixed in the SELinux config somehow ? (In reply to Roland Mainz from comment #3) > Mine... all Mine... > ... taking bug myself... > > ... question: > pkis: Shouldn't this be fixed in the SELinux config somehow ? If the change in krb5 was intentional and these bind attempts are needed, then it should be fixed in selinux-policy. (In reply to Patrik Kis from comment #4) > (In reply to Roland Mainz from comment #3) > > Mine... all Mine... > > ... taking bug myself... > > > > ... question: > > pkis: Shouldn't this be fixed in the SELinux config somehow ? > > If the change in krb5 was intentional and these bind attempts are needed, > then it should be fixed in selinux-policy. OK... I've discussed the issue with upstream: There are two things going on here: 1. kadmind needs to create an RPC listener socket, but on a fixed port, which is not the way the RPC library usually thinks. Apparently |svctcp_create()| unconditionally calls |bindresvport_sa()|, which just fails with |EINVAL| because the socket is already bound. This is... erm... unelegant... but harmless except for triggering SELinux's security checks. 2. The krb5 1.13 release added a bug in |bindresvport_sa()| which caused the wrong port numbers to be tried. That's why the range of ports tried changes from krb5 1.12 to krb5 1.13. Upstream will try to tackle [2] above, but [1] is definitely in SELinux's territory. (In reply to Roland Mainz from comment #5) > (In reply to Patrik Kis from comment #4) > > (In reply to Roland Mainz from comment #3) > > > Mine... all Mine... > > > ... taking bug myself... > > > > > > ... question: > > > pkis: Shouldn't this be fixed in the SELinux config somehow ? > > > > If the change in krb5 was intentional and these bind attempts are needed, > > then it should be fixed in selinux-policy. > > OK... I've discussed the issue with upstream: > There are two things going on here: > 1. kadmind needs to create an RPC listener socket, but on a fixed port, > which is not the way the RPC library usually thinks. > Apparently |svctcp_create()| unconditionally calls |bindresvport_sa()|, > which just fails with |EINVAL| because the socket is already bound. This > is... erm... unelegant... but harmless except for triggering SELinux's > security checks. > > 2. The krb5 1.13 release added a bug in |bindresvport_sa()| which caused the > wrong port numbers to be tried. > That's why the range of ports tried changes from krb5 1.12 to krb5 1.13. > > Upstream will try to tackle [2] above, but [1] is definitely in SELinux's > territory. If I understand correctly the fix in krb5 will fix it's bug and the attempted ports will move back to the original range (i.e. 1-511 or similar). If this is the case we are ok, because this is already addressed in the current selinux-policy. If the ports range will be different, please let me know, we can discuss it with selinux devels. One more question, is there an upstream ticket for this issue? Could you link it here? Created attachment 1028666 [details]
Prototype patch from krb5 1.13.3 development which fixes the unneeded |htons()| ...
(In reply to Roland Mainz from comment #7) > Created attachment 1028666 [details] > Prototype patch from krb5 1.13.3 development which fixes the unneeded > |htons()| ... Confirm the patch; according to my tests it fixes the issue. Thanks. pkis: Thanks for the review&&testing. Fix added in krb5-1.13.2-3.el7 ... ... marking bug as MODIFIED Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2154.html |