Bug 1253706

Summary: ipsilon-client-install fails due to AVC on IDP
Product: Red Hat Enterprise Linux 7 Reporter: Scott Poore <spoore>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, spoore, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-43.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 10:43:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott Poore 2015-08-14 13:30:18 UTC 
Description of problem:

This is a clone of bug #1250312

In my particular case, I'm seeing the failure during ipsilon-client-install but, the failure is the same as the one in that fedora bug.

[root@client1 ~]# ipsilon-client-install \
>     --saml-idp-metadata https://idp.testrelm.test/idp/saml2/metadata \
>     --saml-auth /secure
Failed to retrieve IDP Metadata file!
Error: [HTTPError('500 Server Error: Internal Server Error',)]
500 Server Error: Internal Server Error

Then, this is what I see on IDP:

[root@idp ~]# ausearch -m avc -ts 8:00
----
time->Fri Aug 14 08:08:11 2015
type=SYSCALL msg=audit(1439557691.726:100): arch=c000003e syscall=4 success=no exit=-13 a0=7f2ce4573c70 a1=7f2cefc5d610 a2=7f2cefc5d610 a3=fffffff0 items=0 ppid=2361 pid=2378 auid=4294967295 uid=995 gid=992 euid=995 suid=995 fsuid=995 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1439557691.726:100): avc:  denied  { read } for  pid=2378 comm="httpd" name="ipsilon.conf" dev="dm-0" ino=8401209 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_var_lib_t:s0 tclass=lnk_file

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-38.el7.noarch
ipsilon-1.0.0-5.el7.noarch


How reproducible:
always

Steps to Reproduce:
1.   ipa-server-install
2.   ipa-client-install # on idp and sp
3.   ipsilon-server-install # on idp
4.   ipsilon-client-install # on sp

Actual results:

Failure shown above.

Expected results:

No AVC and client installs without issue.
Additional info:
Comment 2 Milos Malik 2015-08-14 15:59:28 UTC 
What SELinux denials do you see when you run the scenario in permissive mode?

# setenforce 0
# your scenario
# ausearch -m avc -m user_avc -m selinux_err -i -ts recent
Comment 3 Scott Poore 2015-08-14 18:52:38 UTC 
The same as far as I can tell:

time->Fri Aug 14 13:36:00 2015
type=SYSCALL msg=audit(1439577360.083:637): arch=c000003e syscall=4 success=yes exit=0 a0=7f7b6c63a390 a1=7f7b75558610 a2=7f7b75558610 a3=fffff000 items=0 ppid=25900 pid=25919 auid=4294967295 uid=995 gid=992 euid=995 suid=995 fsuid=995 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1439577360.083:637): avc:  denied  { read } for  pid=25919 comm="httpd" name="ipsilon.conf" dev="dm-0" ino=9228359 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_var_lib_t:s0 tclass=lnk_file
Comment 4 Lukas Vrabec 2015-08-18 07:56:34 UTC 
commit 521964ed995ce15b0a0c80c59858fb9e9d0ecd52
Author: Lukas Vrabec <lvrabec>
Date:   Tue Aug 18 09:53:26 2015 +0200

    Allow httpd daemon to manage httpd_var_lib_t lnk_files.
    Resolves: #1253706
Comment 6 Scott Poore 2015-08-21 01:24:42 UTC 
This appears to be fixed:

Version ::

selinux-policy-3.13.1-44.el7.noarch

Results ::

[root@idp ~]# getenforce 
Enforcing

[root@client1 ~]# ipsilon-client-install --saml-idp-metadata https://idp.testrelm.test/idp/saml2/metadata --saml-auth /secure
Generating a 2048 bit RSA private key
......................................................................................................................................................................+++
.....................................................+++
writing new private key to '/etc/httpd/saml2/client1.testrelm.test/certificate.key'
-----
[root@client1 ~]#

[root@idp ~]# ausearch -m avc
<no matches>

[root@client1 ~]# ausearch -m avc
<no matches>
Comment 9 errata-xmlrpc 2015-11-19 10:43:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html