Bug 1250312

Summary: After ipsilon-server-install, access to /idp ends with 500 ISE due to AVC denial on ipsilon.conf symlink
Product: [Fedora] Fedora Reporter: Jan Pazdziora <jpazdziora>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dominick.grift, dwalsh, jpazdziora, lvrabec, mgrepl, nkinder, plautrba, puiterwijk, ssorce
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-225.10.fc25 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1255105 (view as bug list) Environment:
Last Closed: 2017-02-26 01:37:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1255105    

Description Jan Pazdziora 2015-08-05 06:32:45 UTC 
Description of problem:

After installing ipsilon 1.0.0 packages, configuring it with ipsilon-server-install, and restarting Apache, access to https://$(hostname)/idp results in 500 ISE and ssl_error_log showing IOError: Configuration file not found.

Version-Release number of selected component (if applicable):

ipsilon-1.0.0-1.fc22.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. yum -y install /usr/sbin/ipsilon-server-install httpd mod_ssl ipsilon-authpam ipsilon-authgssapi ipsilon-saml2
2. ipsilon-server-install --pam yes
3. service httpd restart
4. Click http://<the-ipsilon-server>/idp

Actual results:

Internal Server Error

ssl_error_log has

==> /var/log/httpd/ssl_error_log <==
[Wed Aug 05 02:27:02.717871 2015] [wsgi:error] [pid 3676] [remote 10.11.12.13:136] mod_wsgi (pid=3676): Target WSGI script '/usr/libexec/ipsilon' cannot be loaded as Python module.
[Wed Aug 05 02:27:02.717954 2015] [wsgi:error] [pid 3676] [remote 10.11.12.13:136] mod_wsgi (pid=3676): Exception occurred processing WSGI script '/usr/libexec/ipsilon'.
[Wed Aug 05 02:27:02.718050 2015] [wsgi:error] [pid 3676] [remote 10.11.12.13:136] Traceback (most recent call last):
[Wed Aug 05 02:27:02.718110 2015] [wsgi:error] [pid 3676] [remote 10.11.12.13:136]   File "/usr/libexec/ipsilon", line 38, in <module>
[Wed Aug 05 02:27:02.718335 2015] [wsgi:error] [pid 3676] [remote 10.11.12.13:136]     raise IOError("Configuration file not found")
[Wed Aug 05 02:27:02.718388 2015] [wsgi:error] [pid 3676] [remote 10.11.12.13:136] IOError: Configuration file not found

Expected results:

No error, nice page.

Additional info:
Comment 1 Jan Pazdziora 2015-08-05 06:35:41 UTC 
Ahh, AVC denial:

type=AVC msg=audit(1438756022.717:170): avc:  denied  { read } for  pid=3684 comm="httpd" name="ipsilon.conf" dev="dm-0" ino=137046111 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_var_lib_t:s0 tclass=lnk_file permissive=0

# find / -inum 137046111
/var/lib/ipsilon/idp/ipsilon.conf
# find / -inum 137046111 | xargs ls -lZ
lrwxrwxrwx. 1 root root unconfined_u:object_r:httpd_var_lib_t:s0 29 Aug  5 02:26 /var/lib/ipsilon/idp/ipsilon.conf -> /etc/ipsilon/idp/ipsilon.conf

# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.13.1-128.8.fc22.noarch
Comment 2 Jan Pazdziora 2015-08-05 06:36:38 UTC 
Switching to Permissive makes the login page show up.
Comment 4 Simo Sorce 2015-08-05 12:48:30 UTC 
What are the labels on:
/etc/ipsilon
/etc/ipsilon/idp
/etc/ipsilon/idp/ipsilon.conf
?
Comment 5 Jan Pazdziora 2015-08-05 13:10:12 UTC 
(In reply to Simo Sorce from comment #4)
> What are the labels on:
> /etc/ipsilon
> /etc/ipsilon/idp
> /etc/ipsilon/idp/ipsilon.conf
> ?

All of them are system_u:object_r:etc_t:s0.
Comment 6 Simo Sorce 2015-08-05 14:12:07 UTC 
I think we need advice from SELinux people on what we should do here.
CCing mgrepl
Comment 7 Miroslav Grepl 2015-09-08 17:59:04 UTC 
It looks as legitimately and we should extend SELinux rules to cover it. Also we could think about httpd_conf_t for /etc/ipsilon directory.
Comment 8 Jan Pazdziora 2015-09-14 13:04:55 UTC 
(In reply to Miroslav Grepl from comment #7)

> Also we could think about httpd_conf_t for /etc/ipsilon directory.

There is (RHEL) bug 1256748 filed for the fact that the Apache configuration directory of Ipsilon is not httpd_conf_t labelled.
Comment 9 Lukas Vrabec 2015-10-09 13:24:40 UTC 
Nathan, 
In bug 1256748 you mentioned Upstream SELinux policy for Ipsilon, could you attach link for this policy? 

Thank you.
Comment 10 Nathan Kinder 2015-10-19 20:27:51 UTC 
(In reply to Lukas Vrabec from comment #9)
> Nathan, 
> In bug 1256748 you mentioned Upstream SELinux policy for Ipsilon, could you
> attach link for this policy? 
> 
> Thank you.

Patrick was working with someone on this as I understand it.  Setting needinfo for him to provide the details on where this is.
Comment 11 Fedora End Of Life 2016-07-19 20:33:58 UTC 
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 12 Jan Pazdziora 2016-07-26 13:17:32 UTC 
Reopening.
Comment 13 Fedora Update System 2016-07-27 10:39:44 UTC 
openssh-7.2p2-11.fc24 selinux-policy-3.13.1-191.8.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-99191c4aab
Comment 14 Fedora Update System 2017-02-22 21:07:08 UTC 
selinux-policy-3.13.1-225.10.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-31d4ea5eb1
Comment 15 Fedora Update System 2017-02-26 01:37:29 UTC 
selinux-policy-3.13.1-225.10.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.