Bug 1483170

Summary: 'map' denial for comm 'ns-slapd' path '/run/dirsrv/slapd-DOMAIN-LOCAL.stats' (breaks FreeIPA deployment)
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: selinux-policy-targetedAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: unspecified    
Version: 27CC: abokovoy, dwalsh, kparal, lslebodn, rcritten, robatino, ssorce, tkrizek
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: AcceptedBlocker
Fixed In Version: selinux-policy-3.13.1-276.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-12 22:46:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1396702, 1481454    

Description Adam Williamson 2017-08-18 23:16:46 UTC
Getting this SELinux denial during openQA FreeIPA server deployment tests:

Aug 17 22:24:53 ipa001.domain.local audit[4292]: AVC avc:  denied  { map } for  pid=4292 comm="ns-slapd" path="/run/dirsrv/slapd-DOMAIN-LOCAL.stats" dev="tmpfs" ino=33024 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_run_t:s0 tclass=file permissive=0

I believe it's preventing the deployment from working, as it fails with this error:

[17/08/18:01:34:53] - [Setup] Info Could not start the directory server using command '/bin/systemctl start dirsrv'.  The last line from the error log was '[18/Aug/2017:01:24:53.192492479 -0400] - EMERG - snmp collator - Failed to open stats file (/var/run/dirsrv/slapd-DOMAIN-LOCAL.stats) (error 1): Operation not permitted.

Note that the DOMAIN-LOCAL part of the file name is variable (it's based on the domain's name).

Proposing as an F27 Beta blocker as this prevents FreeIPA deployment, which violates Alpha criterion "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried." - https://fedoraproject.org/wiki/Fedora_27_Alpha_Release_Criteria#Role_definition_requirements - since the domain controller role is a release-blocking role.

Comment 1 Adam Williamson 2017-08-18 23:18:08 UTC
cc'ing freeipa folks for reference (just so you know what's busted; I don't think you have anything to fix here).

Comment 2 Kamil Páral 2017-08-21 17:21:27 UTC
Discussed during blocker review [1]:

AcceptedBlocker (Beta) - breaks deployment of FreeIPA servers, clear violation of Alpha criterion "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started..." for the domain controller role

[1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-08-21/

Comment 3 Adam Williamson 2017-08-23 21:38:55 UTC
3.13.1-273 does seem to fix this exact denial, but 389-ds still fails to start (and FreeIPA deployment fails) due to another, similar denial:

Aug 23 12:42:11 ipa001.domain.local audit[4319]: AVC avc:  denied  { map } for  pid=4319 comm="ns-slapd" path="/dev/shm/QSql25" dev="tmpfs" ino=32992 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=0

should I file a new bug for that?

Comment 4 Lukas Vrabec 2017-08-26 10:10:13 UTC
No, I'll fix it.

Comment 5 Adam Williamson 2017-09-12 02:03:48 UTC
Once again, that denial is fixed in -276 (well, I checked with -280), but there are still some denials that prevent deployment working in -280:

Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc:  denied  { write } for  pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0
Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc:  denied  { write } for  pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0
Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc:  denied  { write } for  pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0
Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc:  denied  { link } for  pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0

I have also mentioned this in https://bugzilla.redhat.com/show_bug.cgi?id=1488404 .

Comment 6 Lukas Slebodnik 2017-09-12 08:08:31 UTC
(In reply to Adam Williamson from comment #5)
> Once again, that denial is fixed in -276 (well, I checked with -280), but
> there are still some denials that prevent deployment working in -280:
> 
> Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc:  denied  { write }
> for  pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129
> scontext=system_u:system_r:dirsrv_t:s0
> tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0
> Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc:  denied  { write }
> for  pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129
> scontext=system_u:system_r:dirsrv_t:s0
> tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0
> Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc:  denied  { write }
> for  pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129
> scontext=system_u:system_r:dirsrv_t:s0
> tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0
> Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc:  denied  { link }
> for  pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129
> scontext=system_u:system_r:dirsrv_t:s0
> tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0
> 

Lukas,
I hope you didn't try to allow these AVCs because it is bug in ipa-server-install script BZ1490762

Comment 7 Alexander Bokovoy 2017-09-12 21:19:32 UTC
I have fixed it in https://github.com/freeipa/freeipa/pull/1062

So we either use this bug to deliver freeipa update with it or add bugzilla 1490762 to the blockers list.

Comment 8 Adam Williamson 2017-09-12 22:46:15 UTC
We've made 1490762 an AcceptedBlocker, please send out a FreeIPA update marked as fixing it. thanks!

Since there's only the rolekit_tmp denials and one other denial for systemd during decommissioning left in current F27 composes, I'm going to close this bug now.