Bug 1424728

Summary: SELinux prevents cyrus imapd from using gssproxy
Product: Red Hat Enterprise Linux 7 Reporter: James Ralston <ralston>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 15:22:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description James Ralston 2017-02-18 20:55:05 UTC 
Description of problem:

In order to permit GSSAPI authentication, Cyrus imapd needs access to the imap/hostname Kerberos principal in the /etc/krb5.keytab file. On RHEL7 systems, the preferred way to do this is to configure the application to use the gssproxy interposer, described here:

https://fedorahosted.org/gss-proxy/wiki/Apache

E.g., in /etc/gssproxy/gssproxy.conf:

[service/imap]
  mechs = krb5
  cred_store = keytab:/etc/krb5.keytab
  cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
  euid = 76
  krb5_principal = imap

Add create /etc/systemd/system/cyrus-imapd.service as follows:

.include /usr/lib/systemd/system/cyrus-imapd.service
[Service]
Environment=GSS_USE_PROXY=1

In order to speak to the gssproxy interposer, imapd needs access to /var/lib/gssproxy/default.sock. But unfortunately, SELinux blocks this access:

----
type=SYSCALL msg=audit(2017-02-18 15:43:24.276:1915) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x13 a1=0x7fff9db59310 a2=0x6e a3=0x1e items=0 ppid=29710 pid=30650 auid=unset uid=cyrus gid=mail euid=cyrus suid=cyrus fsuid=cyrus egid=mail sgid=mail fsgid=mail tty=(none) ses=unset comm=imapd exe=/usr/lib/cyrus-imapd/imapd subj=system_u:system_r:cyrus_t:s0 key=(null) 
type=AVC msg=audit(2017-02-18 15:43:24.276:1915) : avc:  denied  { search } for  pid=30650 comm=imapd name=gssproxy dev="dm-5" ino=4202830 scontext=system_u:system_r:cyrus_t:s0 tcontext=system_u:object_r:gssproxy_var_lib_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(2017-02-18 15:43:24.274:1914) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x13 a1=0x7fff9db59650 a2=0x6e a3=0x1e items=0 ppid=29710 pid=30650 auid=unset uid=cyrus gid=mail euid=cyrus suid=cyrus fsuid=cyrus egid=mail sgid=mail fsgid=mail tty=(none) ses=unset comm=imapd exe=/usr/lib/cyrus-imapd/imapd subj=system_u:system_r:cyrus_t:s0 key=(null) 
type=AVC msg=audit(2017-02-18 15:43:24.274:1914) : avc:  denied  { search } for  pid=30650 comm=imapd name=gssproxy dev="dm-5" ino=4202830 scontext=system_u:system_r:cyrus_t:s0 tcontext=system_u:object_r:gssproxy_var_lib_t:s0 tclass=dir 

As a result, GSSAPI authentication fails.

If I make the cyrus_t type permissive by running "semanage permissive -a cyrus_t", then GSSAPI authentication succeeds, generating these avc messages:

----
type=SYSCALL msg=audit(2017-02-18 15:49:44.783:1917) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x13 a1=0x7ffcaeac8540 a2=0x6e a3=0x21 items=0 ppid=29710 pid=31312 auid=unset uid=cyrus gid=mail euid=cyrus suid=cyrus fsuid=cyrus egid=mail sgid=mail fsgid=mail tty=(none) ses=unset comm=imapd exe=/usr/lib/cyrus-imapd/imapd subj=system_u:system_r:cyrus_t:s0 key=(null) 
type=AVC msg=audit(2017-02-18 15:49:44.783:1917) : avc:  denied  { connectto } for  pid=31312 comm=imapd path=/var/lib/gssproxy/default.sock scontext=system_u:system_r:cyrus_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket 
type=AVC msg=audit(2017-02-18 15:49:44.783:1917) : avc:  denied  { write } for  pid=31312 comm=imapd name=default.sock dev="dm-5" ino=4202816 scontext=system_u:system_r:cyrus_t:s0 tcontext=system_u:object_r:gssproxy_var_lib_t:s0 tclass=sock_file 

Please update the SELinux targeted policy to permit the above access, so that we can enable GSSAPI authentication without needing to make the cyrus_t type permissive.

Version-Release number of selected component (if applicable):

0:cyrus-imapd-2.4.17-8.el7_1.x86_64
0:cyrus-imapd-utils-2.4.17-8.el7_1.x86_64
0:cyrus-sasl-2.1.26-20.el7_2.x86_64
0:cyrus-sasl-gssapi-2.1.26-20.el7_2.x86_64
0:cyrus-sasl-lib-2.1.26-20.el7_2.x86_64
0:cyrus-sasl-md5-2.1.26-20.el7_2.x86_64
0:cyrus-sasl-plain-2.1.26-20.el7_2.x86_64
0:gssproxy-0.4.1-13.el7.x86_64
0:libselinux-2.5-6.el7.x86_64
0:libselinux-devel-2.5-6.el7.x86_64
0:libselinux-python-2.5-6.el7.x86_64
0:libselinux-ruby-2.5-6.el7.x86_64
0:libselinux-utils-2.5-6.el7.x86_64
0:selinux-policy-3.13.1-102.el7_3.13.noarch
0:selinux-policy-targeted-3.13.1-102.el7_3.13.noarch
Comment 4 errata-xmlrpc 2017-08-01 15:22:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861