Bug 1441376
| Summary: | gssproxy unable to access /var/lib/ipa/gssproxy/http.keytab | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Scott Poore <spoore> |
| Component: | ipa | Assignee: | Martin Bašti <mbasti> |
| Status: | CLOSED DUPLICATE | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.4 | CC: | mbasti, pvoborni, rcritten, rharwood, tscherf |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-04-20 10:52:20 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
FYI, full AVC denial messages:
[root@rhel7-2 ~]# ausearch -m avc
----
time->Tue Apr 11 15:12:24 2017
type=SYSCALL msg=audit(1491941544.278:552): arch=c000003e syscall=2 success=no exit=-13 a0=7fde7002a670 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=6803 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gssproxy" exe="/usr/sbin/gssproxy" subj=system_u:system_r:gssproxy_t:s0 key=(null)
type=AVC msg=audit(1491941544.278:552): avc: denied { dac_read_search } for pid=6803 comm="gssproxy" capability=2 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability
type=AVC msg=audit(1491941544.278:552): avc: denied { dac_override } for pid=6803 comm="gssproxy" capability=1 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability
Martin, are these AVCs part of the ones you reported after your investigation? Well,
I reported following:
Raw Audit Messages
type=AVC msg=audit(1491815464.382:104238): avc: denied { dac_override } for pid=109579 comm="gssproxy" capability=1 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability
type=SYSCALL msg=audit(1491815464.382:104238): arch=x86_64 syscall=open success=yes exit=EEXIST a0=7f8c34047c90 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=109579 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=gssproxy exe=/usr/sbin/gssproxy subj=system_u:system_r:gssproxy_t:s0 key=(null)
But for unknown reason it misses this AVC:
type=AVC msg=audit(1491941544.278:552): avc: denied { dac_read_search } for pid=6803 comm="gssproxy" capability=2 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability
Maybe because gssproxy in enforcing mode failed to access keytab, it probably tried another method and caused a new AVC that I haven't been able to get in permissive mode. Reported as part of bug 1432115 *** This bug has been marked as a duplicate of bug 1432115 *** |
Description of problem: It appears that on a fresh IPA install, there may be issues with SELinux and/or permissions set for /var/lib/ipa/gssproxy/http.keytab. With SELinux in enforcing mode, we see ipa commands fail and AVC denials. [root@rhel7-2 audit]# ipa user-find ipa: ERROR: No valid Negotiate header in server response [root@rhel7-2 audit]# cat audit.log|audit2allow #============= gssproxy_t ============== allow gssproxy_t self:capability { dac_override dac_read_search }; With some digging, we see the following failure in /var/log/messages from when gssproxy started: Apr 11 15:00:57 rhel7-2 gssproxy: gssproxy[6803]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, Keytab FILE:/var/lib/ipa/gssproxy/http.keytab is nonexistent or empty Looking at the directory and file: [root@rhel7-2 ~]# ls -ldZ /var/lib/ipa/gssproxy drwx------. root root system_u:object_r:ipa_var_lib_t:s0 /var/lib/ipa/gssproxy [root@rhel7-2 ~]# ls -ldZ /var/lib/ipa/gssproxy/http.keytab -rw-------. apache apache unconfined_u:object_r:ipa_var_lib_t:s0 /var/lib/ipa/gssproxy/http.keytab Version-Release number of selected component (if applicable): ipa-server-4.5.0-5.el7.x86_64 gssproxy-0.7.0-3.el7.x86_64 How reproducible: always if gssproxy is started when SELinux in enforcing mode. Steps to Reproduce: 1. ipa-server-install* 2. setenforce 1 3. ipactl restart 4. ipa user-find *note that due to some other unrelated AVC work still being finished, this had to be run with in permissive mode. Actual results: Throws errors and AVCs Expected results: No errors or AVCs Additional info: