Bug 1447411

Summary: sssd-kcm should not run as unconfined_service_t
Product: [Fedora] Fedora Reporter: Lukas Slebodnik <lslebodn>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: dominick.grift, dwalsh, lvrabec, mgrepl, plautrba, pmoore, ssekidde
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-254.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1448060 (view as bug list) Environment:
Last Closed: 2017-06-09 18:58:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1448060    

Description Lukas Slebodnik 2017-05-02 16:19:55 UTC 
SELinux is preventing systemd from create access on the unix_stream_socket Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd should be allowed create access on the Unknown unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:system_r:unconfined_service_t:s0
Target Objects                Unknown [ unix_stream_socket ]
Source                        systemd
Source Path                   systemd
Port                          <Unknown>
Host                          vm-058-043.example.com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-251.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     vm-058-043.example.com
Platform                      Linux vm-058-043.example.com
                              4.11.0-0.rc8.git0.1.fc26.x86_64 #1 SMP Mon Apr 24
                              15:42:54 UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-05-02 18:00:30 CEST
Last Seen                     2017-05-02 18:00:30 CEST
Local ID                      5ac9a2c2-e4fb-4ad1-97e6-e46f3aab16cd

Raw Audit Messages
type=AVC msg=audit(1493740830.125:704): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0


Hash: systemd,init_t,unconfined_service_t,unix_stream_socket,create
Comment 1 Lukas Slebodnik 2017-05-02 16:22:17 UTC 
How to reproduce:
dnf install --nogpgcheck --enablerepo=rawhide sssd-kcm // will backport to f26 in few weeks :-) 
systemctl enable sssd-secrets.socket sssd-kcm.socket
systemctl start sssd-kcm.socket

AVCs in permissive mode

type=AVC msg=audit(05/02/2017 18:01:25.561:727) : avc:  denied  { create } for  pid=1 comm=systemd scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 
----
type=AVC msg=audit(05/02/2017 18:01:25.561:728) : avc:  denied  { setopt } for  pid=1 comm=systemd scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 
----
type=AVC msg=audit(05/02/2017 18:01:25.562:729) : avc:  denied  { bind } for  pid=1 comm=systemd scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 
----
type=AVC msg=audit(05/02/2017 18:01:25.563:730) : avc:  denied  { listen } for  pid=1 comm=systemd path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
Comment 2 Lukas Slebodnik 2017-05-02 16:25:58 UTC 
There is also an AVC when using sssd-kcm.
sssd-kcm store KRB5 tickets in sssd-secrets and there is deny to write there.

Enforcing:
type=AVC msg=audit(05/02/2017 18:13:11.178:894) : avc:  denied  { write } for  pid=3252 comm=sssd_kcm name=secrets.socket dev="tmpfs" ino=49715 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=0 

Permissive:
type=AVC msg=audit(05/02/2017 18:15:50.917:932) : avc:  denied  { write } for  pid=3317 comm=sssd_kcm name=secrets.socket dev="tmpfs" ino=49769 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1

SELinux is preventing sssd_kcm from write access on the sock_file secrets.socket.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sssd_kcm should be allowed write access on the secrets.socket sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sssd_kcm' --raw | audit2allow -M my-sssdkcm
# semodule -X 300 -i my-sssdkcm.pp


Additional Information:
Source Context                system_u:system_r:sssd_t:s0
Target Context                system_u:object_r:sssd_var_run_t:s0
Target Objects                secrets.socket [ sock_file ]
Source                        sssd_kcm
Source Path                   sssd_kcm
Port                          <Unknown>
Host                          vm-058-043.example.com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-251.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     vm-058-043.example.com
Platform                      Linux vm-058-043.example.com
                              4.11.0-0.rc8.git0.1.fc26.x86_64 #1 SMP Mon Apr 24
                              15:42:54 UTC 2017 x86_64 x86_64
Alert Count                   7
First Seen                    2017-05-02 18:06:19 CEST
Last Seen                     2017-05-02 18:13:11 CEST
Local ID                      a2fe4f0e-d1af-4482-8559-6264a8190e6d

Raw Audit Messages
type=AVC msg=audit(1493741591.178:894): avc:  denied  { write } for  pid=3252 comm="sssd_kcm" name="secrets.socket" dev="tmpfs" ino=49715 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=0


Hash: sssd_kcm,sssd_t,sssd_var_run_t,sock_file,write
Comment 3 Lukas Slebodnik 2017-05-04 12:58:34 UTC 
PR: https://github.com/fedora-selinux/selinux-policy-contrib/pull/11
Comment 4 Fedora Update System 2017-05-15 21:15:14 UTC 
selinux-policy-3.13.1-254.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7f762b31f8
Comment 5 Fedora Update System 2017-05-16 06:10:21 UTC 
selinux-policy-3.13.1-254.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-7f762b31f8
Comment 6 Lukas Slebodnik 2017-05-16 11:08:30 UTC 
There is missing transition rule for sockets

And I do not understand why there is a wrong file context
sh# matchpathcon /var/run/.heim_org.h5l.kcm-socket /run/.heim_org.h5l.kcm-socket /usr/libexec/sssd/sssd_kcm 
/var/run/.heim_org.h5l.kcm-socket       system_u:object_r:var_run_t:s0
/run/.heim_org.h5l.kcm-socket   system_u:object_r:var_run_t:s0
/usr/libexec/sssd/sssd_kcm      system_u:object_r:sssd_exec_t:s0

sh# rpm -q selinux-policy
selinux-policy-3.13.1-254.fc26.noarch
Comment 7 Lukas Vrabec 2017-05-17 09:57:09 UTC 
Lukas,

This commit is missing in -254.fc26 package: 

commit 8fd96cc5dadad1abb10a7a60b62bef887cd8361d
Author: Lukas Vrabec <lvrabec>
Date:   Tue May 16 15:06:26 2017 +0200

    Allow sssd_t domain creating sock files labeled as sssd_var_run_t in /var/run/

It was fixed after update of -254.fc26. Fix will be part of -255.fc26
Comment 8 Lukas Slebodnik 2017-05-17 10:48:05 UTC 
(In reply to Lukas Vrabec from comment #7)
> Lukas,
> 
> This commit is missing in -254.fc26 package: 
> 
> commit 8fd96cc5dadad1abb10a7a60b62bef887cd8361d
> Author: Lukas Vrabec <lvrabec>
> Date:   Tue May 16 15:06:26 2017 +0200
> 
>     Allow sssd_t domain creating sock files labeled as sssd_var_run_t in
> /var/run/
> 
> It was fixed after update of -254.fc26. Fix will be part of -255.fc26

It is not related to transition. I build my own rpms with this patch and still have this problem. You can see it in seaserch output. But it does not explain why matchpathcon says *var_run_t* instead of *sssd_var_run_t*

sh# rpm -q selinux-policy
selinux-policy-3.13.1-254.fc26.ls.1495009265.noarch

sh# sesearch -T -s sssd_t -t var_run_t
type_transition sssd_t var_run_t:dir sssd_var_run_t;
type_transition sssd_t var_run_t:file sssd_var_run_t;
type_transition sssd_t var_run_t:sock_file sssd_var_run_t;

sh# matchpathcon /var/run/.heim_org.h5l.kcm-socket /run/.heim_org.h5l.kcm-socket /usr/libexec/sssd/sssd_kcm 
/var/run/.heim_org.h5l.kcm-socket       system_u:object_r:var_run_t:s0
/run/.heim_org.h5l.kcm-socket   system_u:object_r:var_run_t:s0
/usr/libexec/sssd/sssd_kcm      system_u:object_r:sssd_exec_t:s0
Comment 9 Lukas Slebodnik 2017-05-17 11:01:09 UTC 
It kind of works with following diff (removed double dash).
But I have no idea why it works well in el7 with double dash

diff --git a/sssd.fc b/sssd.fc
index 47b49ea17..e98b2def3 100644
--- a/sssd.fc
+++ b/sssd.fc
@@ -27,4 +27,4 @@
 
 /var/run/sssd.pid      --      gen_context(system_u:object_r:sssd_var_run_t,s0)
 /var/run/secrets.socket                gen_context(system_u:object_r:sssd_var_run_t,s0)
-/var/run/.heim_org.h5l.kcm-socket      --      gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/.heim_org.h5l.kcm-socket              gen_context(system_u:object_r:sssd_var_run_t,s0)

sh# matchpathcon /var/run/.heim_org.h5l.kcm-socket /run/.heim_org.h5l.kcm-socket /usr/libexec/sssd/sssd_kcm 
/var/run/.heim_org.h5l.kcm-socket       system_u:object_r:sssd_var_run_t:s0
/run/.heim_org.h5l.kcm-socket   system_u:object_r:sssd_var_run_t:s0
/usr/libexec/sssd/sssd_kcm      system_u:object_r:sssd_exec_t:s0
Comment 10 Lukas Slebodnik 2017-05-17 14:55:12 UTC 
Previous issue seems to be fixed by patch https://github.com/fedora-selinux/selinux-policy-contrib/pull/12


But there is still wrong context after starting socket with systemctl.

sh# systemctl stop sssd-kcm.{socket,service}
sh# rm -f /var/run/.heim_org.h5l.kcm-socket

sh# systemctl start sssd-kcm
sh# ls -lZ /var/run/.heim_org.h5l.kcm-socket
srw-rw-rw-. 1 root root system_u:object_r:sssd_var_run_t:s0 0 May 17 16:50 /var/run/.heim_org.h5l.kcm-socket

sh# systemctl stop sssd-kcm.{socket,service}
sh# rm -f /var/run/.heim_org.h5l.kcm-socket
sh# systemctl start sssd-kcm.socket

sh# ls -lZ /var/run/.heim_org.h5l.kcm-socket
srw-rw-rw-. 1 root root system_u:object_r:var_run_t:s0 0 May 17 16:50 /var/run/.heim_org.h5l.kcm-socket


sh# matchpathcon /var/run/.heim_org.h5l.kcm-socket /run/.heim_org.h5l.kcm-socket /usr/libexec/sssd/sssd_kcm 
/var/run/.heim_org.h5l.kcm-socket       system_u:object_r:sssd_var_run_t:s0
/run/.heim_org.h5l.kcm-socket   system_u:object_r:sssd_var_run_t:s0
/usr/libexec/sssd/sssd_kcm      system_u:object_r:sssd_exec_t:s0

sh# semanage fcontext -l | grep heim_org
/var/run/\.heim_org\.h5l\.kcm-socket               socket             system_u:object_r:sssd_var_run_t:s0
Comment 11 Fedora Update System 2017-06-09 18:58:38 UTC 
selinux-policy-3.13.1-254.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.