Bug 1289930
Summary: | Allow oddjobd to execute IPA replica connection check | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jan Cholasta <jcholast> | |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | medium | Docs Contact: | ||
Priority: | high | |||
Version: | 23 | CC: | dominick.grift, dwalsh, jcholast, lslebodn, lvrabec, mgrepl, plautrba, pvoborni, tomek | |
Target Milestone: | --- | Keywords: | Reopened | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-3.13.1-158.4.f23 selinux-policy-3.13.1-158.4.fc23 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1324144 (view as bug list) | Environment: | ||
Last Closed: | 2016-02-07 05:24:16 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1324144 |
Description
Jan Cholasta
2015-12-09 11:19:30 UTC
Jan, could you please test it with # chcon -t ipa_helper_exec_t /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck # setsebool -P httpd_run_ipa 1 The chcon command partially fixes the issue. Now I'm getting these AVCs: time->Mon Jan 4 14:44:14 2016 type=AVC msg=audit(1451915054.973:6182): avc: denied { open } for pid=31867 comm="ipa-replica-con" path="/var/log/ipareplica-conncheck.log" dev="dm-1" ino=261271 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 ---- time->Mon Jan 4 14:44:14 2016 type=AVC msg=audit(1451915054.974:6183): avc: denied { setattr } for pid=31867 comm="ipa-replica-con" name="ipareplica-conncheck.log" dev="dm-1" ino=261271 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 ---- time->Mon Jan 4 14:44:15 2016 type=AVC msg=audit(1451915055.980:6184): avc: denied { name_connect } for pid=31867 comm="ipa-replica-con" dest=464 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:kerberos_password_port_t:s0 tclass=tcp_socket permissive=1 ---- time->Mon Jan 4 14:44:16 2016 type=AVC msg=audit(1451915056.289:6185): avc: denied { name_connect } for pid=31867 comm="ipa-replica-con" dest=80 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1 How is /var/log/ipareplica-conncheck.log created? In /usr/sbin/ipa-replica-conncheck (which is executed from /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck). Jan, Just '/usr/sbin/ipa-replica-conncheck' is manipulating with this log file, from ipa point of view? commit ff1e5391689bebd47de418df8baf40bcdee58717 Author: Lukas Vrabec <lvrabec> Date: Mon Jan 11 13:13:47 2016 +0100 Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports. BZ(1289930) Yes, it is not accessed from anywhere else. Ok, thank you. selinux-policy-3.13.1-158.2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7cb7ac5cb9 selinux-policy-3.13.1-158.2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7cb7ac5cb9 org.freeipa.server.conncheck is still incorrectly labelled with selinux-policy-3.13.1-158.2.fc23: # ls -alZ /usr/libexec/ipa/oddjob/ total 12 drwxr-xr-x. 2 root root system_u:object_r:bin_t:s0 84 Jan 18 12:40 . drwxr-xr-x. 3 root root system_u:object_r:bin_t:s0 123 Jan 18 12:40 .. -rwxr-xr-x. 1 root root system_u:object_r:ipa_helper_exec_t:s0 7625 Jan 18 09:08 com.redhat.idm.trust-fetch-domains -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 67 Jan 18 09:08 org.freeipa.server.conncheck # rpm -q selinux-policy selinux-policy-3.13.1-158.2.fc23.noarch # restorecon /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck # ls -alZ /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 67 Jan 18 09:08 /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck commit e36e827635d9846fc5df3bc8211963f2c23ab155 Author: Lukas Vrabec <lvrabec> Date: Mon Jan 18 13:30:21 2016 +0100 Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930) There are no more AVC denials with selinux-policy-3.13.1-158.3.f23, but when the IPA framework running in httpd tries to call oddjob over D-Bus, it fails with: Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 350, in wsgi_execute result = self.Command[name](*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 446, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 763, in run return self.execute(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/plugins/server.py", line 247, in execute ret, stdout, stderr = server.conncheck(keys[-1]) File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 70, in __call__ return self._proxy_method(*args, **keywords) File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 145, in __call__ **keywords) File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking message, timeout) DBusException: org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.456" (uid=48 pid=10841 comm="(wsgi:ipa) -DFOREGROUND ") interface="org.freeipa.server" member="conncheck" error name="(unset)" requested_reply="0" destination="org.freeipa.server" (uid=0 pid=10267 comm="/usr/sbin/oddjobd -n -p /var/run/oddjobd.pid -t 30") My bad, I wasn't aware there is such a thing as USER_AVC. These are the USER_AVC denials which cause the issue above: time->Tue Jan 20 12:13:21 2016 type=USER_AVC msg=audit(1453288401.424:1099): pid=873 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Introspectable member=Introspect dest=org.freeipa.server spid=10841 tpid=10267 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->Tue Jan 20 12:13:21 2016 type=USER_AVC msg=audit(1453288401.425:1100): pid=873 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freeipa.server member=conncheck dest=org.freeipa.server spid=10841 tpid=10267 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' commit 954bb9161da6366ae7d3ca8374dbf197dac31d2f Author: Lukas Vrabec <lvrabec> Date: Thu Jan 21 16:55:59 2016 +0100 Allow dbus chat between httpd_t and oddjob_t. BZ(1289930) selinux-policy-3.13.1-158.2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. moving back to modified. It was not fixed in selinux-policy-3.13.1-158.2.fc23 and selinux-policy-3.13.1-158.4.f23 is not in updates. selinux-policy-3.13.1-158.4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21 selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21 selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. |