Bug 1368418

Summary:	SELinux is preventing com.redhat.idm. from connectto access on the unix_stream_socket /run/slapd-<>.socket
Product:	Red Hat Enterprise Linux 7	Reporter:	Sudhir Menon <sumenon>
Component:	selinux-policy	Assignee:	Lukas Vrabec <lvrabec>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	7.3	CC:	dapospis, lvrabec, mgrepl, mmalik, plautrba, pspacek, pvoborni, pvrabec, rcritten, ssekidde, sumenon
Target Milestone:	rc
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.13.1-95.el7	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-11-04 02:37:22 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Sudhir Menon 2016-08-19 10:33:11 UTC

Description of problem: SELinux is preventing com.redhat.idm. from connectto access on the unix_stream_socket /run/slapd-<>.socket


Version-Release number of selected component (if applicable):
libselinux-python-2.5-5.el7.x86_64
libselinux-2.5-5.el7.x86_64
selinux-policy-3.13.1-94.el7.noarch
selinux-policy-targeted-3.13.1-94.el7.noarch
ipa-server-4.4.0-8.el7.x86_64
ipa-server-trust-ad-4.4.0-8.el7.x86_64

How reproducible: Always.


Steps to Reproduce:

1. [root@ipaserver ~]# date; ipa trust-add test.qa --type='ad'  --range-type='ipa-ad-trust-posix' --external=true
Fri Aug 19 15:42:43 IST 2016
Active Directory domain administrator: Administrator
Active Directory domain administrator's password:
------------------------------------------------
Added Active Directory trust for realm "test.qa"
------------------------------------------------
  Realm name: test.qa
  Domain NetBIOS name: TEST
  Domain Security Identifier: S-1-5-21-4204873575-1158510886-1449965812
  Trust direction: Trusting forest
  Trust type: Non-transitive external trust to a domain in another Active Directory forest
  Trust status: Established and verified
 
---------------------------------------

2. Check /var/log/messages
3. Check /var/log/audit/audit.log


Actual results:
1. /var/log/messages file displays the below message.

Aug 19 15:43:21 ipaserver dbus-daemon: dbus[627]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Aug 19 15:43:21 ipaserver setroubleshoot: failed to retrieve rpm info for /run/slapd-REDLABS-QE.socket
Aug 19 15:43:21 ipaserver setroubleshoot: SELinux is preventing com.redhat.idm. from connectto access on the unix_stream_socket /run/slapd-REDLABS-QE.socket. For complete SELinux messages. run sealert -l bd83b10c-b074-485e-8710-5b780ca0b407
Aug 19 15:43:21 ipaserver python: SELinux is preventing com.redhat.idm. from connectto access on the unix_stream_socket /run/slapd-REDLABS-QE.socket.#012#012*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************#012#012If you want to allow authlogin to nsswitch use ldap#012Then you must tell SELinux about this by enabling the 'authlogin_nsswitch_use_ldap' boolean.#012You can read 'None' man page for more details.#012Do#012setsebool -P authlogin_nsswitch_use_ldap 1#012#012*****  Plugin catchall (11.6 confidence) suggests   **************************#012#012If you believe that com.redhat.idm. should be allowed connectto access on the slapd-REDLABS-QE.socket unix_stream_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'com.redhat.idm.' --raw | audit2allow -M my-comredhatidm#012# semodule -i my-comredhatidm.pp#012

2. /var/log/audit/audit.log

type=AVC msg=audit(1471601597.506:1375): avc:  denied  { connectto } for  pid=2326 comm="com.redhat.idm." path="/run/slapd-REDLABS-QE.socket" scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=unix_stream_socket


Expected results:
Fix the SELinux denial message.


Additional info: This issue was seen with both permissive and enforcing mode of SELinux

Comment 2 Petr Spacek 2016-08-22 07:22:09 UTC

Please try to reproduce the bug in SELinux permissive mode and copy AVC messages from audit.log to this bug. These will be needed for fixing this.

Comment 3 Sudhir Menon 2016-08-22 07:38:29 UTC

Petr,

Tried this with SElinux in permissive mode. Steps have been modified.

1. Installed IPA server with enforcing mode.
2. Then did setenforce 0
3. Then added external trust 


Aug 22 13:04:15 ipaserver dbus-daemon: dbus[627]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Aug 22 13:04:16 ipaserver setroubleshoot: failed to retrieve rpm info for /run/slapd-REDLABS-QE.socket
Aug 22 13:04:17 ipaserver setroubleshoot: SELinux is preventing com.redhat.idm. from connectto access on the unix_stream_socket /run/slapd-REDLABS-QE.socket. For complete SELinux messages. run sealert -l bd83b10c-b074-485e-8710-5b780ca0b407
Aug 22 13:04:17 ipaserver python: SELinux is preventing com.redhat.idm. from connectto access on the unix_stream_socket /run/slapd-REDLABS-QE.socket.#012#012*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************#012#012If you want to allow authlogin to nsswitch use ldap#012Then you must tell SELinux about this by enabling the 'authlogin_nsswitch_use_ldap' boolean.#012You can read 'None' man page for more details.#012Do#012setsebool -P authlogin_nsswitch_use_ldap 1#012#012*****  Plugin catchall (11.6 confidence) suggests   **************************#012#012If you believe that com.redhat.idm. should be allowed connectto access on the slapd-REDLABS-QE.socket unix_stream_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'com.redhat.idm.' --raw | audit2allow -M my-comredhatidm#012# semodule -i my-comredhatidm.pp#012

cat /var/log/audit/audit.log
type=AVC msg=audit(1471851250.553:3161): avc:  denied  { connectto } for  pid=15194 comm="com.redhat.idm." path="/run/slapd-REDLABS-QE.socket" scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1471851250.553:3161): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7fff08a4e3e0 a2=6e a3=7fff08a4e3e2 items=0 ppid=13606 pid=15194 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null)

Comment 4 Petr Spacek 2016-08-22 10:09:27 UTC

Could you please double-check that there is only 1 AVC? I would expect more than one (while running in permissive mode). This is suspicious.

Did the feature work in the permissive mode?

Comment 5 Sudhir Menon 2016-08-22 10:47:02 UTC

Petr,

I could only see the below in the audit.log file.

type=AVC msg=audit(1471862721.313:3436): avc:  denied  { connectto } for  pid=21433 comm="com.redhat.idm." path="/run/slapd-REDLABS-QE.socket" scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=unix_stream_socket

type=SYSCALL msg=audit(1471862721.313:3436): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7ffc36133ca0 a2=6e a3=7ffc36133ca2 items=0 ppid=19195 pid=21433 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null)

Comment 6 Petr Vobornik 2016-08-23 11:57:18 UTC

Changing component according to comment 4 and 5

Comment 7 Lukas Vrabec 2016-08-23 12:15:39 UTC

[root@bkr-hv03-guest20 ~]# sesearch -A -s ipa_helper_t -t dirsrv_t -c unix_stream_socket -p connectto
Found 1 semantic av rules:
   allow nsswitch_domain dirsrv_t : unix_stream_socket connectto ; 

[root@bkr-hv03-guest20 ~]# rpm -q selinux-policy
selinux-policy-3.13.1-94.el7.noarch

Looks like this is already allowed.

Comment 8 Lukas Vrabec 2016-08-23 12:55:55 UTC

Are you sure you have the latest selinux-policy rpm package?

Comment 9 Sudhir Menon 2016-08-23 13:08:25 UTC

Lukas,
Yes this was tested on selinux-policy-3.13.1-94.el7.noarch

Comment 10 Lukas Vrabec 2016-08-23 13:09:22 UTC

Could you provide some testing system?

Comment 12 Sudhir Menon 2016-08-23 13:36:06 UTC

Test system was provide to reproduce the issue.

Comment 15 Sudhir Menon 2016-08-24 08:16:30 UTC

The message "SELinux is preventing com.redhat.idm. from connectto access on the unix_stream_socket /run/slapd-REDLABS-QE.socket"
is no more seen in permissive/enforcing mode while adding external trust.

Verified on RHEL7.3 using
ipa-server-4.4.0-8.el7.x86_64
ipa-server-trust-ad-4.4.0-8.el7.x86_64
libselinux-utils-2.5-5.el7.x86_64
libselinux-python-2.5-5.el7.x86_64
selinux-policy-3.13.1-95.el7.noarch
selinux-policy-targeted-3.13.1-95.el7.noarch
libselinux-2.5-5.el7.x86_64

Comment 21 errata-xmlrpc 2016-11-04 02:37:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html