Bug 1439136
| Summary: | ipa trust-fetch-domains command displays avc denied message when SELinux is in permissive mode. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Sudhir Menon <sumenon> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED NOTABUG | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.4 | CC: | abokovoy, lvrabec, mgrepl, mmalik, plautrba, pvoborni, pvrabec, rcritten, ssekidde, sumenon, tscherf |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-04-05 13:03:20 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This is to selinux-policy. Sudhir, /run/ipa/krb5cc_oddjob_trusts has wrong SELinux label. Could you run: #restorecon -Rv /run/ipa To fix SELinux labels and then reproduce the issue? Thanks. Lukas, I dont see the avc denied message after running restorecon -Rv /run/ipa ===Before running restorecon=== [root@autohv01 ~]# ls -lZ /run/ipa drwxrwx---. ipaapi ipaapi unconfined_u:object_r:var_run_t:s0 ccaches -rw-------. root root system_u:object_r:var_run_t:s0 krb5cc_oddjob_trusts -rw-------. root root system_u:object_r:var_run_t:s0 krb5cc_oddjob_trusts_fetch -rw-------. root root system_u:object_r:certmonger_var_run_t:s0 renewal.lock -rw-r--r--. root root system_u:object_r:var_run_t:s0 services.list [root@autohv01 ~]# restorecon -Rv /run/ipa restorecon reset /run/ipa context unconfined_u:object_r:var_run_t:s0->unconfined_u:object_r:ipa_var_run_t:s0 restorecon reset /run/ipa/krb5cc_oddjob_trusts_fetch context system_u:object_r:var_run_t:s0->system_u:object_r:ipa_var_run_t:s0 restorecon reset /run/ipa/krb5cc_oddjob_trusts context system_u:object_r:var_run_t:s0->system_u:object_r:ipa_var_run_t:s0 restorecon reset /run/ipa/services.list context system_u:object_r:var_run_t:s0->system_u:object_r:ipa_var_run_t:s0 restorecon reset /run/ipa/renewal.lock context system_u:object_r:certmonger_var_run_t:s0->system_u:object_r:ipa_var_run_t:s0 restorecon reset /run/ipa/ccaches context unconfined_u:object_r:var_run_t:s0->unconfined_u:object_r:ipa_var_run_t:s0 restorecon reset /run/ipa/ccaches/admin context system_u:object_r:httpd_var_run_t:s0->system_u:object_r:ipa_var_run_t:s0 restorecon reset /run/ipa/ccaches/host~client.testreal.test context system_u:object_r:httpd_var_run_t:s0->system_u:object_r:ipa_var_run_t:s0 restorecon reset /run/ipa/ccaches/host~autohv01.testreal.test context system_u:object_r:httpd_var_run_t:s0->system_u:object_r:ipa_var_run_t:s0 ===After running restorecon=== [root@autohv01 ~]# ls -lZ /run/ipa drwxrwx---. ipaapi ipaapi unconfined_u:object_r:ipa_var_run_t:s0 ccaches -rw-------. root root system_u:object_r:ipa_var_run_t:s0 krb5cc_oddjob_trusts -rw-------. root root system_u:object_r:ipa_var_run_t:s0 krb5cc_oddjob_trusts_fetch -rw-------. root root system_u:object_r:ipa_var_run_t:s0 renewal.lock -rw-r--r--. root root system_u:object_r:ipa_var_run_t:s0 services.list Looks good. Closing this issue. But if this is always reproducible, than there is an error somewhere(maybe IPA) - the file had wrong label.
I have no idea if following is root cause, but looks fishy(different credential caches):
In install/oddjob/com.redhat.idm.trust-fetch-domains:
if not have_ccache:
# delete stale ccache and try again
if os.path.exists(oneway_ccache_name):
os.unlink(ccache_name)
Where:
oneway_ccache_name = '/var/run/ipa/krb5cc_oddjob_trusts_fetch'
ccache_name = '/var/run/ipa/krb5cc_oddjob_trusts'
Introduced in: https://pagure.io/freeipa/c/aad73fad601f576dd83b758f4448839b4e8e87df
So Sudhir is this always reproducible? (From description it seems so)
These are two different ccaches for different purposes and they should stay this way. The first one is for us accessing a remote AD DC using TDO credential from the trusted forest root domain realm. The second one is for us accessing own LDAP server using cifs/... principal from our own realm. Petr, For me this is always reproducible, if i do not run "restorecon -Rv /run/ipa" as mentioned in comment4. So may be during installation itself the selinux labels should be corrected i.e it should be system_u:object_r:ipa_var_run_t:s0 instead of system_u:object_r:var_run_t:s0 /run/ipa is a temporary directory, re-created by tmpfiles.d after every boot. It should have proper labels already. Sudhir, if you'd reboot the server, what is output of ls -laZ /run/ipa ? Alexander, Tested this on pristine system and found that the selinux labels are set correctly after reboot and avc denied messages are not seen now [root@master ipa]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 --Before reboot-- [root@master ipa]# ls -alZ /run/ipa/ drwx--x--x. root root unconfined_u:object_r:var_run_t:s0 . drwxr-xr-x. root root system_u:object_r:var_run_t:s0 .. drwxrwx---. ipaapi ipaapi unconfined_u:object_r:var_run_t:s0 ccaches -rw-------. root root system_u:object_r:certmonger_var_run_t:s0 renewal.lock -rw-r--r--. root root system_u:object_r:var_run_t:s0 services.list #systemctl reboot [root@master ~]# ls -lZa /run/ipa/ drwx--x--x. root root system_u:object_r:ipa_var_run_t:s0 . drwxr-xr-x. root root system_u:object_r:var_run_t:s0 .. drwxrwx---. ipaapi ipaapi system_u:object_r:ipa_var_run_t:s0 ccaches -rw-------. root root system_u:object_r:ipa_var_run_t:s0 renewal.lock -rw-r--r--. root root system_u:object_r:ipa_var_run_t:s0 services.list |
Description of problem: ipa trust-fetch-domains command displays avc denied message when SELinux is in permissive mode. Version-Release number of selected component (if applicable): ipa-server-dns-4.5.0-4.el7.noarch libselinux-python-2.5-11.el7.x86_64 libselinux-2.5-11.el7.x86_64 selinux-policy-3.13.1-137.el7.noarch selinux-policy-targeted-3.13.1-137.el7.noarch How reproducible:Always Steps to Reproduce: 1. Ensure SELinux is in permissive mode 2. Install IPA trust and Establish trust with windows 2016 AD 3. Now run ipa trust-fetch-domains win2k16.test Actual results: Command runs without any errors but shows up AVC denies messages. [root@autohv01 log]# date Wed Apr 5 06:03:29 EDT 2017 [root@autohv01 log]# ipa trust-find --------------- 1 trust matched --------------- Realm name: win2k16.test Domain NetBIOS name: WIN2K16 Domain Security Identifier: S-1-5-21-1240829736-1212639629-1557025649 Trust type: Active Directory domain ---------------------------- Number of entries returned 1 ---------------------------- [root@autohv01 log]# ipa trust-fetch-domains win2k16.test ---------------------------------------------------------------------------------------- List of trust domains successfully refreshed. Use trustdomain-find command to list them. ---------------------------------------------------------------------------------------- ---------------------------- Number of entries returned 0 ---------------------------- time->Wed Apr 5 06:03:35 2017 type=SYSCALL msg=audit(1491386615.761:9355): arch=c000003e syscall=2 success=yes exit=3 a0=4ae83c0 a1=80000 a2=180 a3=2 items=0 ppid=877 pid=28801 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null) type=AVC msg=audit(1491386615.761:9355): avc: denied { open } for pid=28801 comm="com.redhat.idm." path="/run/ipa/krb5cc_oddjob_trusts" dev="tmpfs" ino=860461 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file type=AVC msg=audit(1491386615.761:9355): avc: denied { read } for pid=28801 comm="com.redhat.idm." name="krb5cc_oddjob_trusts" dev="tmpfs" ino=860461 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file ---- time->Wed Apr 5 06:03:35 2017 type=SYSCALL msg=audit(1491386615.761:9356): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=7 a2=7ffec15e9440 a3=2 items=0 ppid=877 pid=28801 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null) type=AVC msg=audit(1491386615.761:9356): avc: denied { lock } for pid=28801 comm="com.redhat.idm." path="/run/ipa/krb5cc_oddjob_trusts" dev="tmpfs" ino=860461 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file ---- time->Wed Apr 5 06:03:35 2017 type=SYSCALL msg=audit(1491386615.761:9357): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffec15e9320 a2=7ffec15e9320 a3=24 items=0 ppid=877 pid=28801 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null) type=AVC msg=audit(1491386615.761:9357): avc: denied { getattr } for pid=28801 comm="com.redhat.idm." path="/run/ipa/krb5cc_oddjob_trusts" dev="tmpfs" ino=860461 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file Expected results: Fix avc denied messages. Additional info: