Bug 1289930

Summary: Allow oddjobd to execute IPA replica connection check
Product: [Fedora] Fedora Reporter: Jan Cholasta <jcholast>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: 23CC: dominick.grift, dwalsh, jcholast, lslebodn, lvrabec, mgrepl, plautrba, pvoborni, tomek
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-158.4.f23 selinux-policy-3.13.1-158.4.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1324144 (view as bug list) Environment:
Last Closed: 2016-02-07 05:24:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1324144    

Description Jan Cholasta 2015-12-09 11:19:30 UTC
Description of problem:

As part of <https://fedorahosted.org/freeipa/ticket/5497> implementation, IPA calls oddjobd through D-Bus to execute a helper located at /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck, which in turn executes /usr/sbin/ipa-replica-conncheck.

This currently produces the following AVCs:

time->Wed Dec  9 10:00:24 2015
type=AVC msg=audit(1449651624.843:19472): avc:  denied  { transition } for  pid=17341 comm="oddjobd" path="/usr/libexec/ipa/oddjob/org.freeipa.server.conncheck" dev="dm-1" ino=398404 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=1
----
time->Wed Dec  9 10:00:24 2015
type=AVC msg=audit(1449651624.843:19473): avc:  denied  { entrypoint } for  pid=17341 comm="oddjobd" path="/usr/libexec/ipa/oddjob/org.freeipa.server.conncheck" dev="dm-1" ino=398404 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
time->Wed Dec  9 10:00:24 2015
type=AVC msg=audit(1449651624.853:19474): avc:  denied  { write } for  pid=17341 comm="org.freeipa.ser" path="pipe:[8371716]" dev="pipefs" ino=8371716 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file permissive=1
----
time->Wed Dec  9 10:00:25 2015
type=AVC msg=audit(1449651625.332:19475): avc:  denied  { write } for  pid=17341 comm="ipa-replica-con" name="ipareplica-conncheck.log" dev="dm-1" ino=261271 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1
----
time->Wed Dec  9 10:00:25 2015
type=AVC msg=audit(1449651625.647:19476): avc:  denied  { sigchld } for  pid=15944 comm="oddjobd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=process permissive=1


Additionally, /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains was moved to /usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains and is incorrectly labelled system_u:object_r:bin_t:s0 instead of system_u:object_r:ipa_helper_exec_t:s0.


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-155.fc23.noarch

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:
SELinux policy prevents oddjobd from executing the connection check

Expected results:
SELinux policy allows oddjobd from executing the connection check

Additional info:

Comment 1 Miroslav Grepl 2015-12-22 09:05:15 UTC
Jan,
could you please test it with

# chcon -t ipa_helper_exec_t /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck
# setsebool -P httpd_run_ipa 1

Comment 2 Jan Cholasta 2016-01-04 13:50:24 UTC
The chcon command partially fixes the issue. Now I'm getting these AVCs:

time->Mon Jan  4 14:44:14 2016
type=AVC msg=audit(1451915054.973:6182): avc:  denied  { open } for  pid=31867 comm="ipa-replica-con" path="/var/log/ipareplica-conncheck.log" dev="dm-1" ino=261271 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
----
time->Mon Jan  4 14:44:14 2016
type=AVC msg=audit(1451915054.974:6183): avc:  denied  { setattr } for  pid=31867 comm="ipa-replica-con" name="ipareplica-conncheck.log" dev="dm-1" ino=261271 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
----
time->Mon Jan  4 14:44:15 2016
type=AVC msg=audit(1451915055.980:6184): avc:  denied  { name_connect } for  pid=31867 comm="ipa-replica-con" dest=464 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:kerberos_password_port_t:s0 tclass=tcp_socket permissive=1
----
time->Mon Jan  4 14:44:16 2016
type=AVC msg=audit(1451915056.289:6185): avc:  denied  { name_connect } for  pid=31867 comm="ipa-replica-con" dest=80 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1

Comment 3 Miroslav Grepl 2016-01-07 10:10:00 UTC
How is /var/log/ipareplica-conncheck.log created?

Comment 4 Jan Cholasta 2016-01-07 10:11:43 UTC
In /usr/sbin/ipa-replica-conncheck (which is executed from /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck).

Comment 5 Lukas Vrabec 2016-01-11 11:59:15 UTC
Jan, 
Just '/usr/sbin/ipa-replica-conncheck' is manipulating with this log file, from ipa point of view?

Comment 6 Lukas Vrabec 2016-01-11 12:17:24 UTC
commit ff1e5391689bebd47de418df8baf40bcdee58717
Author: Lukas Vrabec <lvrabec>
Date:   Mon Jan 11 13:13:47 2016 +0100

    Label /var/log/ipareplica-conncheck.log file as ipa_log_t
    Allow ipa_helper_t domain to manage logs labeledas ipa_log_t
    Allow ipa_helper_t to connect on http and kerberos_passwd ports.
    BZ(1289930)

Comment 7 Jan Cholasta 2016-01-11 14:03:45 UTC
Yes, it is not accessed from anywhere else.

Comment 8 Lukas Vrabec 2016-01-11 21:27:56 UTC
Ok, thank you.

Comment 9 Fedora Update System 2016-01-14 13:15:51 UTC
selinux-policy-3.13.1-158.2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7cb7ac5cb9

Comment 10 Fedora Update System 2016-01-15 18:53:50 UTC
selinux-policy-3.13.1-158.2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7cb7ac5cb9

Comment 11 Jan Cholasta 2016-01-18 11:54:09 UTC
org.freeipa.server.conncheck is still incorrectly labelled with selinux-policy-3.13.1-158.2.fc23:

# ls -alZ /usr/libexec/ipa/oddjob/
total 12
drwxr-xr-x. 2 root root system_u:object_r:bin_t:s0               84 Jan 18 12:40 .
drwxr-xr-x. 3 root root system_u:object_r:bin_t:s0              123 Jan 18 12:40 ..
-rwxr-xr-x. 1 root root system_u:object_r:ipa_helper_exec_t:s0 7625 Jan 18 09:08 com.redhat.idm.trust-fetch-domains
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0               67 Jan 18 09:08 org.freeipa.server.conncheck
# rpm -q selinux-policy
selinux-policy-3.13.1-158.2.fc23.noarch
# restorecon /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck
# ls -alZ /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck 
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 67 Jan 18 09:08 /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck

Comment 12 Lukas Vrabec 2016-01-18 13:17:19 UTC
commit e36e827635d9846fc5df3bc8211963f2c23ab155
Author: Lukas Vrabec <lvrabec>
Date:   Mon Jan 18 13:30:21 2016 +0100

    Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930)

Comment 13 Jan Cholasta 2016-01-19 11:24:24 UTC
There are no more AVC denials with selinux-policy-3.13.1-158.3.f23, but when the IPA framework running in httpd tries to call oddjob over D-Bus, it fails with:

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 350, in wsgi_execute
    result = self.Command[name](*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 446, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 763, in run
    return self.execute(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/server.py", line 247, in execute
    ret, stdout, stderr = server.conncheck(keys[-1])
  File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 70, in __call__
    return self._proxy_method(*args, **keywords)
  File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
DBusException: org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.456" (uid=48 pid=10841 comm="(wsgi:ipa)      -DFOREGROUND ") interface="org.freeipa.server" member="conncheck" error name="(unset)" requested_reply="0" destination="org.freeipa.server" (uid=0 pid=10267 comm="/usr/sbin/oddjobd -n -p /var/run/oddjobd.pid -t 30")

Comment 14 Jan Cholasta 2016-01-21 08:10:49 UTC
My bad, I wasn't aware there is such a thing as USER_AVC. These are the USER_AVC denials which cause the issue above:

time->Tue Jan 20 12:13:21 2016
type=USER_AVC msg=audit(1453288401.424:1099): pid=873 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Introspectable member=Introspect dest=org.freeipa.server spid=10841 tpid=10267 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Tue Jan 20 12:13:21 2016
type=USER_AVC msg=audit(1453288401.425:1100): pid=873 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freeipa.server member=conncheck dest=org.freeipa.server spid=10841 tpid=10267 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Comment 15 Lukas Vrabec 2016-01-21 15:57:10 UTC
commit 954bb9161da6366ae7d3ca8374dbf197dac31d2f
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jan 21 16:55:59 2016 +0100

    Allow dbus chat between httpd_t and oddjob_t. BZ(1289930)

Comment 16 Fedora Update System 2016-01-22 02:20:54 UTC
selinux-policy-3.13.1-158.2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Petr Vobornik 2016-01-27 10:16:13 UTC
moving back to modified. It was not fixed in selinux-policy-3.13.1-158.2.fc23 and selinux-policy-3.13.1-158.4.f23 is not in updates.

Comment 18 Fedora Update System 2016-02-03 12:02:18 UTC
selinux-policy-3.13.1-158.4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21

Comment 19 Fedora Update System 2016-02-03 23:00:14 UTC
selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21

Comment 20 Fedora Update System 2016-02-07 05:23:46 UTC
selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.