Bug 1240223

Summary: Prosody SELinux policy with GSS-API
Product: Red Hat Enterprise Linux 7 Reporter: baptiste.peugnez
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.1CC: baptiste.peugnez, g.fhnrunznrqeqf, ggiesen+redhat, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rcFlags: lvrabec: needinfo-
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-35.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 10:38:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ausearch permissive selinux prosody with gss-api none

Description baptiste.peugnez 2015-07-06 09:23:18 UTC 
Description of problem:

Several avc:denied when running prosody-0.9.8-1.el7.x86_64 with GSS-API

Version-Release number of selected component (if applicable):

prosody-0.9.8-1.el7.x86_64
selinux-policy-3.13.1-23.el7_1.8.noarch

(OS : CentOS Linux release 7.1.1503 (Core))

How reproducible:

-Configure the service with GSS-API:

vim /etc/prosody/prosody.cfg.lua
--authentication = "internal_plain"
authentication = "cyrus" -- 0.8+
sasl_backend = "cyrus" -- 0.7
cyrus_service_name = "xmpp" -- Optional, defaults to "xmpp"

vim /etc/sasl2/prosody.conf
pwcheck_method: saslauthd
mech_list: PLAIN gssapi

-Keytab:
cp /lib/systemd/system/prosody.service /etc/systemd/system/prosody.service
vim /etc/systemd/system/prosody.service
...
[Service]
EnvironmentFile=-/etc/sysconfig/prosody
... 
vim /etc/sysconfig/prosody
KRB5_KTNAME=FILE:/etc/prosody/prosody.keytab

-systemctl start prosody

Steps to Reproduce:
1. yum install prosody
2. Configure the service with GSS-API
3. systemctl start prosody

Actual results:

SELinux prevents certains operations to get prosody running.
/var/log/prosody/ : https://bugzilla.redhat.com/show_bug.cgi?id=1221587
/var/tmp/xmpp_* : for Kerberos/GSS-API

Expected results:

SELinux let Prosody runs normally.

Additional info:

prosody-gss.te file coming from audit2allow

Please note the policy refrences logrotate_t because we manually changed
the log type to prosody_var_run_t as a workaround for bz #1221587

I don't have access to the policy changes you made for rhel 7.2 but you
might want to check if logrotate_t has access to prosody_log_t


module prosody-gss 1.0;

require {
    type prosody_var_run_t;
    type logrotate_t;
    type var_log_t;
    type tmp_t;
    type prosody_t;
    class capability { dac_read_search dac_override };
    class dir { write add_name remove_name };
    class file { read write create open unlink };
}

#============= prosody_t ==============
allow prosody_t self:capability { dac_read_search dac_override };
allow prosody_t tmp_t:dir { write add_name remove_name };
allow prosody_t tmp_t:file { write create open unlink };
allow prosody_t var_log_t:file { open read };

#============= logrotate_t ==============
allow logrotate_t prosody_var_run_t:file write;
Comment 2 Milos Malik 2015-07-07 07:57:01 UTC 
Could you provide the list of SELinux denials which appear when you run the scenario in enforcing and in permissive mode?

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

Thank you.
Comment 3 baptiste.peugnez 2015-07-07 09:26:09 UTC 
Created attachment 1049189 [details]
ausearch permissive selinux prosody with gss-api
Comment 4 baptiste.peugnez 2015-07-07 09:38:20 UTC 
I uploaded the file with the list of SELinux denials in permissive mode.

997 here is the uid of the prosody user and could change on another
system.

We can also change the emplacement of the kerberos replay cache file
through the KRB5RCACHEDIR environment variable
e.g. KRB5RCACHEDIR=/var/run/prosody

The tmp_t accesses needed are the same as any gss-api enabled
applications (dovecot, postfix..). What is the recommandation for these?
Comment 5 Lukas Vrabec 2015-07-18 18:18:48 UTC 
commit eaf09a7880e465b25d3d3519088d693a5ad7a624
Author: Lukas Vrabec <lvrabec>
Date:   Sat Jul 18 20:09:23 2015 +0200

    Allow prosody to create own tmp files/dirs.
Comment 6 Lukas Vrabec 2015-07-18 20:00:46 UTC 
commit e67958120f2612ca9edc113a639016099440cf48
Author: Lukas Vrabec <lvrabec>
Date:   Sat Jul 18 21:58:34 2015 +0200

    Add prosody_stream_connect() interface.
Comment 7 Lukas Vrabec 2015-07-18 20:14:42 UTC 
commit cca55bbc335dfa44564e3fa7e8ce1f8a6b06d7c2
Author: Lukas Vrabec <lvrabec>
Date:   Sat Jul 18 22:05:35 2015 +0200

    Allow stream connect logrotate to prosody.
Comment 8 Lukas Vrabec 2015-07-18 20:18:27 UTC 
Added related rules. 

Could you attach output: 
$ ls -Z /var/log/prosody

Thank you.
Comment 9 Lukas Vrabec 2015-07-23 11:38:44 UTC 
Any update here?
Comment 10 Dominique Martinet 2015-07-23 11:46:22 UTC 
Sorry, Baptiste is off for a while and I've been slacking

We have this kind of files:
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.debug
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.debug-20150705.gz
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.debug-20150705.gz-20150719
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.debug-20150712-20150719
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.debug-20150712.gz
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.debug-20150720
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.err
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.err-20150710
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.err-20150710-20150720
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.log
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.log-20150705.gz
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.log-20150705.gz-20150719
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.log-20150720

(. . . that logrotate configuration is apparently also screwed up)

We have a local policy that gives prosody access to var_log_t, but as said in the bug report bz #1221587 should have fixed that (by adding prosody_log_t)

Is there anywhere we can get an updated version until redhat 7.2 gets out?
Comment 11 Lukas Vrabec 2015-07-23 14:08:48 UTC 
Thank you, 
Please use:
# restorecon -R -v /var/log/prosody 

And then try to reproduce this issue. THis should fix problem with this rule:
allow prosody_t var_log_t:file { open read };

This means all related rules was added. Moving to Modified.
Comment 12 Dominique Martinet 2015-07-23 16:09:40 UTC 
"restorecon -R -v /var/log/prosody" doesn't do anything since the policy currently available for rhel 7 (3.13.1-23.el7_1.8) still has these files as var_log_t.

I'm not quite sure why that log rule happened, please ignore it for now, it's just all a big mess because there's nowhere where we can get the selinux updates from both bz.
I had to look at the latest fedora koji builds to get an srpm after the appropriate changelogs (with the messages you posted here), and run a diff of both rpmbuild-prepared directories to look for what has actually been done...


Anyway, I'm not quite sure why you had to add a prosody_stream_connect interface and use it with logrotate_t (since the logrotate configuration uses systemctl reload), I guess we weren't clear with the original point about having to check if logrotate had been updated?
Comment 13 Lukas Vrabec 2015-07-24 08:45:06 UTC 
Do you have AVC related to this rule? 
allow logrotate_t prosody_var_run_t:file write;
Comment 14 Dominique Martinet 2015-07-24 08:55:33 UTC 
The files are currently var_log_t with an exception to prosody_t to write to them until we can upgrade the policy (either rebuilding ourselves or update made available)

Now I looked at the update from pervious ticket I think it'll work (logging_log_file should do it), it's just hard to tell what's done with a commit message when we don't have access to the repository...


Anyway, I think what we reported should have been fixed now and I'll re-open a ticket if something is missing after the update is available, unless you have a way for us to test selinux-policy-3.13.1-35.el7 earlier.

Thank you,
-- 
Dominique
Comment 16 Lukas Vrabec 2015-07-27 10:30:35 UTC 
I tested this on my system, it looks good. 

[root@ibm-x3650m4-01-vm-09 prosody]# ls -Z 
-rw-r-----. prosody prosody system_u:object_r:prosody_log_t:s0 prosody.err
-rw-r-----. prosody prosody system_u:object_r:prosody_log_t:s0 prosody.log
[root@ibm-x3650m4-01-vm-09 prosody]# pwd
/var/log/prosody
Comment 19 errata-xmlrpc 2015-11-19 10:38:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html