Bug 1256757
| Summary: | SELinux is preventing IPA access to /var/run/ipa/renewal.lock | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Cholasta <jcholast> | |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 7.1 | CC: | dominick.grift, dpal, dwalsh, ekeck, extras-qa, jcholast, lmiksik, lvrabec, mgrepl, mkosek, mmalik, mvadkert, plautrba, pvrabec, ssekidde | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.13.1-53.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | 1213256 | |||
| : | 1268774 (view as bug list) | Environment: | ||
| Last Closed: | 2015-11-19 10:44:09 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1213256 | |||
| Bug Blocks: | 1268774 | |||
|
Description
Jan Cholasta
2015-08-25 12:10:56 UTC
Hi, renewal.lock file has bad label. Correct label is: $ matchpathcon /run/ipa/renewal.lock /run/ipa/renewal.lock system_u:object_r:ipa_var_run_t:s0 Do you know which service create file /run/ipa/renewal.lock? I would say that we have missing file transition for certmonger to create ipa_var_run_t. The file is created from a script executed by certmonger. Is the /run/ipa directory labeled correctly ? # ls -dZ /run/ipa Yes, how is /run/ipa directory created in this case? I have retried again on a clean VM with selinux-policy-3.13.1-23.el7_1.13 and I don't see the AVCs anymore. However, if I downgrade to selinux-policy-3.13.1-23.el7 and then upgrade back to selinux-policy-3.13.1-23.el7_1.13 (which I did before while investigating bug 1252863), the AVCs start to appear again. The /run/ipa directory is labelled this way in this case: # ls -dZ /run/ipa drwx------. root root system_u:object_r:var_run_t:s0 /run/ipa The same AVCs were also seen by customers in bug 1252863, without the selinux-policy downgrade+upgrade, so something else must have triggered the bug in their case. Any chance to find out where /run/ipa is created? Is this a part of a scriptlet or a part of a setup script? Moving to 7.3. If it needs to go into 7.2, please request exception with requested needinfo. The directory is created by RPM when ipa-server is installed. This is the relevant line from the spec file:
%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
It is also managed by systemd, using the following tmpfiles configuration:
d /var/run/ipa 0700 root root
(In reply to Jan Cholasta from comment #9) > The directory is created by RPM when ipa-server is installed. This is the > relevant line from the spec file: > > %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/ > > It is also managed by systemd, using the following tmpfiles configuration: > > d /var/run/ipa 0700 root root It looks OK. So we should have correct labeling here. ANy chance this directory is re-created? The spec file and tmpfiles config are the only 2 places in IPA where the directory is created. If it is re-created, it is not done from IPA. Basically, We need to find out which process creating this directory. To add right file transition rule. Jan, could you try to reproduce it with the newest selinux-policy packages? Special policy module (containing few auditallow rules) gave us the answer. The /var/run/ipa directory is created by yum:
----
type=PATH msg=audit(09/16/2015 10:48:58.124:172) : item=1 name=/var/run/ipa inode=49309 dev=00:13 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0 objtype=CREATE
type=PATH msg=audit(09/16/2015 10:48:58.124:172) : item=0 name=/var/run/ inode=6497 dev=00:13 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=PARENT
type=CWD msg=audit(09/16/2015 10:48:58.124:172) : cwd=/root/selinux-policy/Regression/ipa-and-similar
type=SYSCALL msg=audit(09/16/2015 10:48:58.124:172) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x54410a0 a1=0700 a2=0x1e a3=0xfffffffffffff0bc items=2 ppid=12858 pid=13465 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=yum exe=/usr/bin/python2.7 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(09/16/2015 10:48:58.124:172) : avc: granted { create } for pid=13465 comm=yum name=ipa scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir
----
It happens during the installation of ipa related packages.
# rpm -qa selinux-policy\* selinux-policy-sandbox-3.13.1-23.el7_1.18.noarch selinux-policy-doc-3.13.1-23.el7_1.18.noarch selinux-policy-targeted-3.13.1-23.el7_1.18.noarch selinux-policy-3.13.1-23.el7_1.18.noarch selinux-policy-mls-3.13.1-23.el7_1.18.noarch selinux-policy-devel-3.13.1-23.el7_1.18.noarch selinux-policy-minimum-3.13.1-23.el7_1.18.noarch # matchpathcon /var/run/ipa /var/run/ipa system_u:object_r:var_run_t:s0 # The latest z-stream selinux-policy does not label the directory correctly. Nice catch! We will need to add a transition rule if we are not able to fix using restorecon. (In reply to Miroslav Grepl from comment #15) > Nice catch! > > We will need to add a transition rule if we are not able to fix using > restorecon. Taking back. Milos, are we able to reproduce it with latest 7.2 policies. The point is we have matchpathcon /var/run/ipa /var/run/ipa system_u:object_r:ipa_var_run_t:s0 and RPM should do a magic and add correct labeling. So I believe this is only 7.1.z issue where we don't have /var/run/ipa system_u:object_r:ipa_var_run_t:s0 Jan, can you confirm it you are not able to reproduce it with 7.2? # rpm -qf /run/ipa
error: file /run/ipa: No such file or directory
# rpm -q ipa-server
package ipa-server is not installed
# yum install ipa-server
Loaded plugins: product-id, refresh-packagekit, search-disabled-repos,
: subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package ipa-server.x86_64 0:4.2.0-11.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
ipa-server x86_64 4.2.0-11.el7 RHEL-7.2-Server 1.3 M
Transaction Summary
================================================================================
Install 1 Package
Total download size: 1.3 M
Installed size: 4.9 M
Is this ok [y/d/N]: y
Downloading packages:
ipa-server-4.2.0-11.el7.x86_64.rpm | 1.3 MB 00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
Installing : ipa-server-4.2.0-11.el7.x86_64 1/1
Verifying : ipa-server-4.2.0-11.el7.x86_64 1/1
Installed:
ipa-server.x86_64 0:4.2.0-11.el7
Complete!
# rpm -qf /run/ipa
ipa-server-4.2.0-11.el7.x86_64
# ls -dZ /run/ipa
drwx------. root root system_u:object_r:ipa_var_run_t:s0 /run/ipa
#
It works as expected with 3.13.1-53.el7.
Miroslav, it is not clear to me how to properly reproduce the issue, as my original assumptions were wrong, which I have tried to explain in comment 6. Can you advise on how to reproduce it? For what it's worth, I have never seen the issue on 7.2, even before I opened this bug. The issue should appear after installation of ipa-server package on a RHEL-7.1 machine. selinux-policy for RHEL-7.1.z does not fix the issue. Jan, Milos answered on your question. Moving back to correct state Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |