| Summary: | kadmin creates kadmind.log with bad SELinux context | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Aleš Mareček <amarecek> |
| Component: | krb5 | Assignee: | Robbie Harwood <rharwood> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 23 | CC: | abokovoy, jpazdziora, j, mbabinsk, nalin, npmccallum, rharwood, ssorce |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | krb5-1.14-9.fc23 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-02-26 19:22:40 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
kadmin.local seems to be affected the same:
1.) run 'ipa-server-install' on master branch
2.) check for AVCs:
"""
ausearch -m avc
----
time->Mon Feb 22 14:45:17 2016
type=AVC msg=audit(1456152317.032:1900): avc: denied { open } for pid=7112 comm="kadmind" path="/var/log/kadmind.log" dev="vda1" ino=524925 scontext=system_u:system_r:kadmind_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file permissive=1
"""
3.) delete /var/log/kadmind.log
4.) run kadmin.local manually
"""
# kadmin.local
Authenticating as principal root/admin with password.
kadmin.local: exit
"""
5.) check that /var/log/kadmind.log is recreated with wrong context:
"""
# ls -lZ /var/log/kadmind.log
-rw-r-----. 1 root root unconfined_u:object_r:var_log_t:s0 0 Feb 22 14:48 /var/log/kadmind.log
"""
IPA version: master
Kerberos version: krb5-workstation-1.14-8.fc23.x86_64
SELinux: selinux-policy-3.13.1-158.7.fc23.noarch
Reproduced locally. The problem is that kadmin.local shouldn't be trying to create this file at all. Confirmed, kadmin.local will cfreate an empty log file if none is present, and of course as it runs in the root user process context it creates the file with a label that the real kadmind service can't access. In 1.13 (and earlier, as far as I can tell), the log file will be created empty - that is, opened but nothing written. The difference is that in 1.13 it has the correct context. I have restored this 1.13 behavior. Since SELinux support is purely downstream (upstream is not interested at the present time), this fix is not needed upstream. Patches building for rawhide and fc23. krb5-1.14-9.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-3fb652d988 krb5-1.14-9.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-3fb652d988 krb5-1.14-9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: # GOOD [root@testbox ~]# systemctl restart kadmin Job for kadmin.service failed because the control process exited with error code. See "systemctl status kadmin.service" and "journalctl -xe" for details. [root@testbox ~]# ls -laZ /var/log/kadmind.log -rw-r-----. 1 root root system_u:object_r:kadmind_log_t:s0 119 Feb 17 12:59 /var/log/kadmind.log # BAD [root@testbox ~]# rm -rf /var/log/kadmind.log [root@testbox ~]# kadmin >/dev/null 2>&1 [root@testbox ~]# ls -laZ /var/log/kadmind.log -rw-r-----. 1 root root unconfined_u:object_r:var_log_t:s0 0 Feb 17 12:59 /var/log/kadmind.log Version-Release number of selected component (if applicable): krb5-workstation-1.14-7.fc23.x86_64 How reproducible: Always. Steps to Reproduce: 1. # Make sure the kadmin service hasn't run so /var/log/kadmind.log doesn't exist 2. kadmin Actual results: -rw-------. 1 root root unconfined_u:object_r:var_log_t:s0 0 Feb 17 13:07 /var/log/kadmind.log Expected results: -rw-r-----. 1 root root system_u:object_r:kadmind_log_t:s0 119 Feb 17 12:59 /var/log/kadmind.log Additional info: It creates SELinux AVC during FreeIPA installation. [root@testbox ~]# rm -rf /var/log/kadmind.log [root@testbox ~]# ipa-server-install - SNIP - Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. - SNIP - [root@testbox ~]# ausearch -m avc -ts recent ---- time->Wed Feb 17 13:07:41 2016 type=AVC msg=audit(1455732461.943:365): avc: denied { open } for pid=26394 comm="kadmind" path="/var/log/kadmind.log" dev="dm-0" ino=33925335 scontext=system_u:system_r:kadmind_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file permissive=0 [root@testbox ~]# ls -laZ /var/log/kadmind.log -rw-------. 1 root root unconfined_u:object_r:var_log_t:s0 0 Feb 17 13:07 /var/log/kadmind.log