Bug 1324144

Summary: Allow oddjobd to execute IPA replica connection check
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Patrik Kis <pkis>
Severity: medium Docs Contact:
Priority: high    
Version: 7.3CC: dominick.grift, dwalsh, extras-qa, jcholast, jpazdziora, lslebodn, lvrabec, mgrepl, mmalik, pkis, plautrba, pvoborni, pvrabec, ssekidde, tomek
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-70.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1289930
: 1333274 (view as bug list) Environment:
Last Closed: 2016-11-04 02:47:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1289930    
Bug Blocks: 1333274    

Description Petr Vobornik 2016-04-05 15:57:49 UTC 
IPA will be rebased in RHEL 7.3, this policy update will be needed.

+++ This bug was initially created as a clone of Bug #1289930 +++

Description of problem:

As part of <https://fedorahosted.org/freeipa/ticket/5497> implementation, IPA calls oddjobd through D-Bus to execute a helper located at /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck, which in turn executes /usr/sbin/ipa-replica-conncheck.

This currently produces the following AVCs:

time->Wed Dec  9 10:00:24 2015
type=AVC msg=audit(1449651624.843:19472): avc:  denied  { transition } for  pid=17341 comm="oddjobd" path="/usr/libexec/ipa/oddjob/org.freeipa.server.conncheck" dev="dm-1" ino=398404 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=1
----
time->Wed Dec  9 10:00:24 2015
type=AVC msg=audit(1449651624.843:19473): avc:  denied  { entrypoint } for  pid=17341 comm="oddjobd" path="/usr/libexec/ipa/oddjob/org.freeipa.server.conncheck" dev="dm-1" ino=398404 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
time->Wed Dec  9 10:00:24 2015
type=AVC msg=audit(1449651624.853:19474): avc:  denied  { write } for  pid=17341 comm="org.freeipa.ser" path="pipe:[8371716]" dev="pipefs" ino=8371716 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file permissive=1
----
time->Wed Dec  9 10:00:25 2015
type=AVC msg=audit(1449651625.332:19475): avc:  denied  { write } for  pid=17341 comm="ipa-replica-con" name="ipareplica-conncheck.log" dev="dm-1" ino=261271 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1
----
time->Wed Dec  9 10:00:25 2015
type=AVC msg=audit(1449651625.647:19476): avc:  denied  { sigchld } for  pid=15944 comm="oddjobd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=process permissive=1


Additionally, /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains was moved to /usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains and is incorrectly labelled system_u:object_r:bin_t:s0 instead of system_u:object_r:ipa_helper_exec_t:s0.


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-155.fc23.noarch

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:
SELinux policy prevents oddjobd from executing the connection check

Expected results:
SELinux policy allows oddjobd from executing the connection check

Additional info:

--- Additional comment from Miroslav Grepl on 2015-12-22 10:05:15 CET ---

Jan,
could you please test it with

# chcon -t ipa_helper_exec_t /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck
# setsebool -P httpd_run_ipa 1

--- Additional comment from Jan Cholasta on 2016-01-04 14:50:24 CET ---

The chcon command partially fixes the issue. Now I'm getting these AVCs:

time->Mon Jan  4 14:44:14 2016
type=AVC msg=audit(1451915054.973:6182): avc:  denied  { open } for  pid=31867 comm="ipa-replica-con" path="/var/log/ipareplica-conncheck.log" dev="dm-1" ino=261271 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
----
time->Mon Jan  4 14:44:14 2016
type=AVC msg=audit(1451915054.974:6183): avc:  denied  { setattr } for  pid=31867 comm="ipa-replica-con" name="ipareplica-conncheck.log" dev="dm-1" ino=261271 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
----
time->Mon Jan  4 14:44:15 2016
type=AVC msg=audit(1451915055.980:6184): avc:  denied  { name_connect } for  pid=31867 comm="ipa-replica-con" dest=464 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:kerberos_password_port_t:s0 tclass=tcp_socket permissive=1
----
time->Mon Jan  4 14:44:16 2016
type=AVC msg=audit(1451915056.289:6185): avc:  denied  { name_connect } for  pid=31867 comm="ipa-replica-con" dest=80 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1

--- Additional comment from Miroslav Grepl on 2016-01-07 11:10:00 CET ---

How is /var/log/ipareplica-conncheck.log created?

--- Additional comment from Jan Cholasta on 2016-01-07 11:11:43 CET ---

In /usr/sbin/ipa-replica-conncheck (which is executed from /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck).

--- Additional comment from Lukas Vrabec on 2016-01-11 12:59:15 CET ---

Jan, 
Just '/usr/sbin/ipa-replica-conncheck' is manipulating with this log file, from ipa point of view?

--- Additional comment from Lukas Vrabec on 2016-01-11 13:17:24 CET ---

commit ff1e5391689bebd47de418df8baf40bcdee58717
Author: Lukas Vrabec <lvrabec>
Date:   Mon Jan 11 13:13:47 2016 +0100

    Label /var/log/ipareplica-conncheck.log file as ipa_log_t
    Allow ipa_helper_t domain to manage logs labeledas ipa_log_t
    Allow ipa_helper_t to connect on http and kerberos_passwd ports.
    BZ(1289930)

--- Additional comment from Jan Cholasta on 2016-01-11 15:03:45 CET ---

Yes, it is not accessed from anywhere else.

--- Additional comment from Lukas Vrabec on 2016-01-11 22:27:56 CET ---

Ok, thank you.

--- Additional comment from Fedora Update System on 2016-01-14 14:15:51 CET ---

selinux-policy-3.13.1-158.2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7cb7ac5cb9

--- Additional comment from Fedora Update System on 2016-01-15 19:53:50 CET ---

selinux-policy-3.13.1-158.2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7cb7ac5cb9

--- Additional comment from Jan Cholasta on 2016-01-18 12:54:09 CET ---

org.freeipa.server.conncheck is still incorrectly labelled with selinux-policy-3.13.1-158.2.fc23:

# ls -alZ /usr/libexec/ipa/oddjob/
total 12
drwxr-xr-x. 2 root root system_u:object_r:bin_t:s0               84 Jan 18 12:40 .
drwxr-xr-x. 3 root root system_u:object_r:bin_t:s0              123 Jan 18 12:40 ..
-rwxr-xr-x. 1 root root system_u:object_r:ipa_helper_exec_t:s0 7625 Jan 18 09:08 com.redhat.idm.trust-fetch-domains
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0               67 Jan 18 09:08 org.freeipa.server.conncheck
# rpm -q selinux-policy
selinux-policy-3.13.1-158.2.fc23.noarch
# restorecon /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck
# ls -alZ /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck 
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 67 Jan 18 09:08 /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck

--- Additional comment from Lukas Vrabec on 2016-01-18 14:17:19 CET ---

commit e36e827635d9846fc5df3bc8211963f2c23ab155
Author: Lukas Vrabec <lvrabec>
Date:   Mon Jan 18 13:30:21 2016 +0100

    Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930)

--- Additional comment from Jan Cholasta on 2016-01-19 12:24:24 CET ---

There are no more AVC denials with selinux-policy-3.13.1-158.3.f23, but when the IPA framework running in httpd tries to call oddjob over D-Bus, it fails with:

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 350, in wsgi_execute
    result = self.Command[name](*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 446, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 763, in run
    return self.execute(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/server.py", line 247, in execute
    ret, stdout, stderr = server.conncheck(keys[-1])
  File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 70, in __call__
    return self._proxy_method(*args, **keywords)
  File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
DBusException: org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.456" (uid=48 pid=10841 comm="(wsgi:ipa)      -DFOREGROUND ") interface="org.freeipa.server" member="conncheck" error name="(unset)" requested_reply="0" destination="org.freeipa.server" (uid=0 pid=10267 comm="/usr/sbin/oddjobd -n -p /var/run/oddjobd.pid -t 30")

--- Additional comment from Jan Cholasta on 2016-01-21 09:10:49 CET ---

My bad, I wasn't aware there is such a thing as USER_AVC. These are the USER_AVC denials which cause the issue above:

time->Tue Jan 20 12:13:21 2016
type=USER_AVC msg=audit(1453288401.424:1099): pid=873 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Introspectable member=Introspect dest=org.freeipa.server spid=10841 tpid=10267 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Tue Jan 20 12:13:21 2016
type=USER_AVC msg=audit(1453288401.425:1100): pid=873 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freeipa.server member=conncheck dest=org.freeipa.server spid=10841 tpid=10267 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

--- Additional comment from Lukas Vrabec on 2016-01-21 16:57:10 CET ---

commit 954bb9161da6366ae7d3ca8374dbf197dac31d2f
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jan 21 16:55:59 2016 +0100

    Allow dbus chat between httpd_t and oddjob_t. BZ(1289930)

--- Additional comment from Fedora Update System on 2016-01-22 03:20:54 CET ---

selinux-policy-3.13.1-158.2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

--- Additional comment from Petr Vobornik on 2016-01-27 11:16:13 CET ---

moving back to modified. It was not fixed in selinux-policy-3.13.1-158.2.fc23 and selinux-policy-3.13.1-158.4.f23 is not in updates.

--- Additional comment from Fedora Update System on 2016-02-03 13:02:18 CET ---

selinux-policy-3.13.1-158.4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21

--- Additional comment from Fedora Update System on 2016-02-04 00:00:14 CET ---

selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21

--- Additional comment from Fedora Update System on 2016-02-07 06:23:46 CET ---

selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 errata-xmlrpc 2016-11-04 02:47:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html