Bug 1439136
Summary: | ipa trust-fetch-domains command displays avc denied message when SELinux is in permissive mode. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Sudhir Menon <sumenon> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED NOTABUG | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.4 | CC: | abokovoy, lvrabec, mgrepl, mmalik, plautrba, pvoborni, pvrabec, rcritten, ssekidde, sumenon, tscherf |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-04-05 13:03:20 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Sudhir Menon
2017-04-05 10:13:22 UTC
This is to selinux-policy. Sudhir, /run/ipa/krb5cc_oddjob_trusts has wrong SELinux label. Could you run: #restorecon -Rv /run/ipa To fix SELinux labels and then reproduce the issue? Thanks. Lukas, I dont see the avc denied message after running restorecon -Rv /run/ipa ===Before running restorecon=== [root@autohv01 ~]# ls -lZ /run/ipa drwxrwx---. ipaapi ipaapi unconfined_u:object_r:var_run_t:s0 ccaches -rw-------. root root system_u:object_r:var_run_t:s0 krb5cc_oddjob_trusts -rw-------. root root system_u:object_r:var_run_t:s0 krb5cc_oddjob_trusts_fetch -rw-------. root root system_u:object_r:certmonger_var_run_t:s0 renewal.lock -rw-r--r--. root root system_u:object_r:var_run_t:s0 services.list [root@autohv01 ~]# restorecon -Rv /run/ipa restorecon reset /run/ipa context unconfined_u:object_r:var_run_t:s0->unconfined_u:object_r:ipa_var_run_t:s0 restorecon reset /run/ipa/krb5cc_oddjob_trusts_fetch context system_u:object_r:var_run_t:s0->system_u:object_r:ipa_var_run_t:s0 restorecon reset /run/ipa/krb5cc_oddjob_trusts context system_u:object_r:var_run_t:s0->system_u:object_r:ipa_var_run_t:s0 restorecon reset /run/ipa/services.list context system_u:object_r:var_run_t:s0->system_u:object_r:ipa_var_run_t:s0 restorecon reset /run/ipa/renewal.lock context system_u:object_r:certmonger_var_run_t:s0->system_u:object_r:ipa_var_run_t:s0 restorecon reset /run/ipa/ccaches context unconfined_u:object_r:var_run_t:s0->unconfined_u:object_r:ipa_var_run_t:s0 restorecon reset /run/ipa/ccaches/admin context system_u:object_r:httpd_var_run_t:s0->system_u:object_r:ipa_var_run_t:s0 restorecon reset /run/ipa/ccaches/host~client.testreal.test context system_u:object_r:httpd_var_run_t:s0->system_u:object_r:ipa_var_run_t:s0 restorecon reset /run/ipa/ccaches/host~autohv01.testreal.test context system_u:object_r:httpd_var_run_t:s0->system_u:object_r:ipa_var_run_t:s0 ===After running restorecon=== [root@autohv01 ~]# ls -lZ /run/ipa drwxrwx---. ipaapi ipaapi unconfined_u:object_r:ipa_var_run_t:s0 ccaches -rw-------. root root system_u:object_r:ipa_var_run_t:s0 krb5cc_oddjob_trusts -rw-------. root root system_u:object_r:ipa_var_run_t:s0 krb5cc_oddjob_trusts_fetch -rw-------. root root system_u:object_r:ipa_var_run_t:s0 renewal.lock -rw-r--r--. root root system_u:object_r:ipa_var_run_t:s0 services.list Looks good. Closing this issue. But if this is always reproducible, than there is an error somewhere(maybe IPA) - the file had wrong label. I have no idea if following is root cause, but looks fishy(different credential caches): In install/oddjob/com.redhat.idm.trust-fetch-domains: if not have_ccache: # delete stale ccache and try again if os.path.exists(oneway_ccache_name): os.unlink(ccache_name) Where: oneway_ccache_name = '/var/run/ipa/krb5cc_oddjob_trusts_fetch' ccache_name = '/var/run/ipa/krb5cc_oddjob_trusts' Introduced in: https://pagure.io/freeipa/c/aad73fad601f576dd83b758f4448839b4e8e87df So Sudhir is this always reproducible? (From description it seems so) These are two different ccaches for different purposes and they should stay this way. The first one is for us accessing a remote AD DC using TDO credential from the trusted forest root domain realm. The second one is for us accessing own LDAP server using cifs/... principal from our own realm. Petr, For me this is always reproducible, if i do not run "restorecon -Rv /run/ipa" as mentioned in comment4. So may be during installation itself the selinux labels should be corrected i.e it should be system_u:object_r:ipa_var_run_t:s0 instead of system_u:object_r:var_run_t:s0 /run/ipa is a temporary directory, re-created by tmpfiles.d after every boot. It should have proper labels already. Sudhir, if you'd reboot the server, what is output of ls -laZ /run/ipa ? Alexander, Tested this on pristine system and found that the selinux labels are set correctly after reboot and avc denied messages are not seen now [root@master ipa]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 --Before reboot-- [root@master ipa]# ls -alZ /run/ipa/ drwx--x--x. root root unconfined_u:object_r:var_run_t:s0 . drwxr-xr-x. root root system_u:object_r:var_run_t:s0 .. drwxrwx---. ipaapi ipaapi unconfined_u:object_r:var_run_t:s0 ccaches -rw-------. root root system_u:object_r:certmonger_var_run_t:s0 renewal.lock -rw-r--r--. root root system_u:object_r:var_run_t:s0 services.list #systemctl reboot [root@master ~]# ls -lZa /run/ipa/ drwx--x--x. root root system_u:object_r:ipa_var_run_t:s0 . drwxr-xr-x. root root system_u:object_r:var_run_t:s0 .. drwxrwx---. ipaapi ipaapi system_u:object_r:ipa_var_run_t:s0 ccaches -rw-------. root root system_u:object_r:ipa_var_run_t:s0 renewal.lock -rw-r--r--. root root system_u:object_r:ipa_var_run_t:s0 services.list |