Bug 1361636

Summary: Selinux prevents IPA from running oddjob required for AD trusts functionality
Product: Red Hat Enterprise Linux 7 Reporter: Martin Bašti <mbasti>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 7.3CC: lryznaro, lvrabec, mbasti, mgrepl, mmalik, nsoman, plautrba, pvrabec, ssekidde, sumenon
Target Milestone: rcKeywords: TestBlocker
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-94.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 02:35:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1356899    

Description Martin Bašti 2016-07-29 15:18:04 UTC 
Hello SELinux team,

Description of problem:

We need to allow following operations, otherwise we are not able to work with AD Trust:

type=AVC msg=audit(1469438536.551:251): avc:  denied  { connectto } for  pid=14234 comm="com.redhat.idm." path="/run/slapd-IPA73-TEST.socket" scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=unix_stream_socket
    type=SYSCALL msg=audit(1469438536.551:251): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7ffdd930c820 a2=6e a3=7ffdd930c822 items=0 ppid=12990 pid=14234 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null)
    type=AVC msg=audit(1469438711.045:252): avc:  denied  { transition } for  pid=14293 comm="oddjobd" path="/usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains" dev="dm-0" ino=4198453 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
    type=SYSCALL msg=audit(1469438711.045:252): arch=c000003e syscall=59 success=no exit=-13 a0=7f92139b3b70 a1=7f92139bf220 a2=7f92139b5b90 a3=666e6f636e753a72 items=0 ppid=12990 pid=14293 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="oddjobd" exe="/usr/sbin/oddjobd" subj=system_u:system_r:oddjob_t:s0-s0:c0.c1023 key=(null)
    type=AVC msg=audit(1469438762.734:253): avc:  denied  { transition } for  pid=14296 comm="oddjobd" path="/usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains" dev="dm-0" ino=4198453 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
    type=SYSCALL msg=audit(1469438762.734:253): arch=c000003e syscall=59 success=no exit=-13 a0=7f92139b3b70 a1=7f92139bf220 a2=7f92139c5560 a3=666e6f636e753a72 items=0 ppid=12990 pid=14296 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="oddjobd" exe="/usr/sbin/oddjobd" subj=system_u:system_r:oddjob_t:s0-s0:c0.c1023 key=(null)


Related bug and more info in: https://bugzilla.redhat.com/show_bug.cgi?id=1356899

Feel free to ask for additional details if needed
Comment 7 Lenka Doudova 2016-08-09 13:20:19 UTC 
Same bug for fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1359115
Comment 17 Sudhir Menon 2016-08-17 17:50:23 UTC 
Observations:
There is no more error displayed when the 'oddjob_request' command is run permissive mode.

Verified on RHEL7.3 using 
ipa-server-4.4.0-7.el7.x86_64
libselinux-2.5-5.el7.x86_64
selinux-policy-3.13.1-94.el7.noarch
selinux-policy-targeted-3.13.1-94.el7.noarch

[root@ipaserver abrt]# getenforce 
Enforcing
[root@ipaserver abrt]# oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust com.redhat.idm.trust.fetch_domains pne.qe

[root@ipaserver abrt]# setenforce 0
[root@ipaserver abrt]# getenforce 
Permissive

[root@ipaserver abrt]# oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust com.redhat.idm.trust.fetch_domains pne.qe
Comment 19 errata-xmlrpc 2016-11-04 02:35:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html