IPA will be rebased in RHEL 7.3, this policy update will be needed.
+++ This bug was initially created as a clone of Bug #1289930 +++
Description of problem:
As part of <https://fedorahosted.org/freeipa/ticket/5497> implementation, IPA calls oddjobd through D-Bus to execute a helper located at /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck, which in turn executes /usr/sbin/ipa-replica-conncheck.
This currently produces the following AVCs:
time->Wed Dec 9 10:00:24 2015
type=AVC msg=audit(1449651624.843:19472): avc: denied { transition } for pid=17341 comm="oddjobd" path="/usr/libexec/ipa/oddjob/org.freeipa.server.conncheck" dev="dm-1" ino=398404 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=1
----
time->Wed Dec 9 10:00:24 2015
type=AVC msg=audit(1449651624.843:19473): avc: denied { entrypoint } for pid=17341 comm="oddjobd" path="/usr/libexec/ipa/oddjob/org.freeipa.server.conncheck" dev="dm-1" ino=398404 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
time->Wed Dec 9 10:00:24 2015
type=AVC msg=audit(1449651624.853:19474): avc: denied { write } for pid=17341 comm="org.freeipa.ser" path="pipe:[8371716]" dev="pipefs" ino=8371716 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file permissive=1
----
time->Wed Dec 9 10:00:25 2015
type=AVC msg=audit(1449651625.332:19475): avc: denied { write } for pid=17341 comm="ipa-replica-con" name="ipareplica-conncheck.log" dev="dm-1" ino=261271 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1
----
time->Wed Dec 9 10:00:25 2015
type=AVC msg=audit(1449651625.647:19476): avc: denied { sigchld } for pid=15944 comm="oddjobd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=process permissive=1
Additionally, /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains was moved to /usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains and is incorrectly labelled system_u:object_r:bin_t:s0 instead of system_u:object_r:ipa_helper_exec_t:s0.
Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-155.fc23.noarch
How reproducible:
Always
Steps to Reproduce:
1.
2.
3.
Actual results:
SELinux policy prevents oddjobd from executing the connection check
Expected results:
SELinux policy allows oddjobd from executing the connection check
Additional info:
--- Additional comment from Miroslav Grepl on 2015-12-22 10:05:15 CET ---
Jan,
could you please test it with
# chcon -t ipa_helper_exec_t /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck
# setsebool -P httpd_run_ipa 1
--- Additional comment from Jan Cholasta on 2016-01-04 14:50:24 CET ---
The chcon command partially fixes the issue. Now I'm getting these AVCs:
time->Mon Jan 4 14:44:14 2016
type=AVC msg=audit(1451915054.973:6182): avc: denied { open } for pid=31867 comm="ipa-replica-con" path="/var/log/ipareplica-conncheck.log" dev="dm-1" ino=261271 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
----
time->Mon Jan 4 14:44:14 2016
type=AVC msg=audit(1451915054.974:6183): avc: denied { setattr } for pid=31867 comm="ipa-replica-con" name="ipareplica-conncheck.log" dev="dm-1" ino=261271 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
----
time->Mon Jan 4 14:44:15 2016
type=AVC msg=audit(1451915055.980:6184): avc: denied { name_connect } for pid=31867 comm="ipa-replica-con" dest=464 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:kerberos_password_port_t:s0 tclass=tcp_socket permissive=1
----
time->Mon Jan 4 14:44:16 2016
type=AVC msg=audit(1451915056.289:6185): avc: denied { name_connect } for pid=31867 comm="ipa-replica-con" dest=80 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1
--- Additional comment from Miroslav Grepl on 2016-01-07 11:10:00 CET ---
How is /var/log/ipareplica-conncheck.log created?
--- Additional comment from Jan Cholasta on 2016-01-07 11:11:43 CET ---
In /usr/sbin/ipa-replica-conncheck (which is executed from /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck).
--- Additional comment from Lukas Vrabec on 2016-01-11 12:59:15 CET ---
Jan,
Just '/usr/sbin/ipa-replica-conncheck' is manipulating with this log file, from ipa point of view?
--- Additional comment from Lukas Vrabec on 2016-01-11 13:17:24 CET ---
commit ff1e5391689bebd47de418df8baf40bcdee58717
Author: Lukas Vrabec <lvrabec>
Date: Mon Jan 11 13:13:47 2016 +0100
Label /var/log/ipareplica-conncheck.log file as ipa_log_t
Allow ipa_helper_t domain to manage logs labeledas ipa_log_t
Allow ipa_helper_t to connect on http and kerberos_passwd ports.
BZ(1289930)
--- Additional comment from Jan Cholasta on 2016-01-11 15:03:45 CET ---
Yes, it is not accessed from anywhere else.
--- Additional comment from Lukas Vrabec on 2016-01-11 22:27:56 CET ---
Ok, thank you.
--- Additional comment from Fedora Update System on 2016-01-14 14:15:51 CET ---
selinux-policy-3.13.1-158.2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7cb7ac5cb9
--- Additional comment from Fedora Update System on 2016-01-15 19:53:50 CET ---
selinux-policy-3.13.1-158.2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7cb7ac5cb9
--- Additional comment from Jan Cholasta on 2016-01-18 12:54:09 CET ---
org.freeipa.server.conncheck is still incorrectly labelled with selinux-policy-3.13.1-158.2.fc23:
# ls -alZ /usr/libexec/ipa/oddjob/
total 12
drwxr-xr-x. 2 root root system_u:object_r:bin_t:s0 84 Jan 18 12:40 .
drwxr-xr-x. 3 root root system_u:object_r:bin_t:s0 123 Jan 18 12:40 ..
-rwxr-xr-x. 1 root root system_u:object_r:ipa_helper_exec_t:s0 7625 Jan 18 09:08 com.redhat.idm.trust-fetch-domains
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 67 Jan 18 09:08 org.freeipa.server.conncheck
# rpm -q selinux-policy
selinux-policy-3.13.1-158.2.fc23.noarch
# restorecon /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck
# ls -alZ /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 67 Jan 18 09:08 /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck
--- Additional comment from Lukas Vrabec on 2016-01-18 14:17:19 CET ---
commit e36e827635d9846fc5df3bc8211963f2c23ab155
Author: Lukas Vrabec <lvrabec>
Date: Mon Jan 18 13:30:21 2016 +0100
Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930)
--- Additional comment from Jan Cholasta on 2016-01-19 12:24:24 CET ---
There are no more AVC denials with selinux-policy-3.13.1-158.3.f23, but when the IPA framework running in httpd tries to call oddjob over D-Bus, it fails with:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 350, in wsgi_execute
result = self.Command[name](*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 446, in __call__
ret = self.run(*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 763, in run
return self.execute(*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/plugins/server.py", line 247, in execute
ret, stdout, stderr = server.conncheck(keys[-1])
File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 70, in __call__
return self._proxy_method(*args, **keywords)
File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
**keywords)
File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
message, timeout)
DBusException: org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.456" (uid=48 pid=10841 comm="(wsgi:ipa) -DFOREGROUND ") interface="org.freeipa.server" member="conncheck" error name="(unset)" requested_reply="0" destination="org.freeipa.server" (uid=0 pid=10267 comm="/usr/sbin/oddjobd -n -p /var/run/oddjobd.pid -t 30")
--- Additional comment from Jan Cholasta on 2016-01-21 09:10:49 CET ---
My bad, I wasn't aware there is such a thing as USER_AVC. These are the USER_AVC denials which cause the issue above:
time->Tue Jan 20 12:13:21 2016
type=USER_AVC msg=audit(1453288401.424:1099): pid=873 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Introspectable member=Introspect dest=org.freeipa.server spid=10841 tpid=10267 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Tue Jan 20 12:13:21 2016
type=USER_AVC msg=audit(1453288401.425:1100): pid=873 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freeipa.server member=conncheck dest=org.freeipa.server spid=10841 tpid=10267 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
--- Additional comment from Lukas Vrabec on 2016-01-21 16:57:10 CET ---
commit 954bb9161da6366ae7d3ca8374dbf197dac31d2f
Author: Lukas Vrabec <lvrabec>
Date: Thu Jan 21 16:55:59 2016 +0100
Allow dbus chat between httpd_t and oddjob_t. BZ(1289930)
--- Additional comment from Fedora Update System on 2016-01-22 03:20:54 CET ---
selinux-policy-3.13.1-158.2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
--- Additional comment from Petr Vobornik on 2016-01-27 11:16:13 CET ---
moving back to modified. It was not fixed in selinux-policy-3.13.1-158.2.fc23 and selinux-policy-3.13.1-158.4.f23 is not in updates.
--- Additional comment from Fedora Update System on 2016-02-03 13:02:18 CET ---
selinux-policy-3.13.1-158.4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21
--- Additional comment from Fedora Update System on 2016-02-04 00:00:14 CET ---
selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21
--- Additional comment from Fedora Update System on 2016-02-07 06:23:46 CET ---
selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHBA-2016-2283.html