Bug 1543569

Summary: freeIPA: AVC write denial for httpd on cert9.db
Product: [Fedora] Fedora Reporter: Christian Heimes <cheimes>
Component: nss-softoknAssignee: Kai Engert (:kaie) (inactive account) <kengert>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: awilliam, cheimes, dueno, dwalsh, elio.maldonado.batiz, kengert, lvrabec, mgrepl, plautrba, pmoore, rcritten, rrelyea
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-20 12:08:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christian Heimes 2018-02-08 18:01:31 UTC 
Description of problem:
I'm getting a AVC denial for /etc/httpd/alias/cert9.db during installation of freeIPA and for every restart of httpd. freeIPA uses mod_nss. Recently NSS was changed to use SQL db format (cert9.db) instead of DBM format (cert8.db).

Version-Release number of selected component (if applicable):
selinux-policy-3.14.1-7.fc28.noarch
mod_nss-1.0.16-1.fc28.x86_64
freeipa-server-4.6.90.dev201802081725+gitbbda914e8-0.fc28.x86_64
httpd-2.4.29-5.fc28.x86_64


How reproducible:
always

Steps to Reproduce:
1. run ipa-server-install (currently needs special build with rawhide fixes)

An Apache httpd installation with mod_nss may be enough to trigger the AVC, too.

Actual results:
no AVC

Expected results:
avc:  denied  { write } for  pid=43643 comm="httpd" name="cert9.db" dev="dm-0" ino=163181 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1

Additional info:
# stat /etc/httpd/alias/cert9.db
  File: /etc/httpd/alias/cert9.db
  Size: 28672           Blocks: 56         IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 163181      Links: 1
Access: (0640/-rw-r-----)  Uid: (    0/    root)   Gid: (   48/  apache)
Context: system_u:object_r:cert_t:s0
Access: 2018-02-08 18:48:40.330076372 +0100
Modify: 2018-02-08 18:48:40.313076372 +0100
Change: 2018-02-08 18:48:40.313076372 +0100

I suspect that mod_nss or NSS opens the database for writing. Maybe sqlite does some locking? Rob or Kai might know.
Comment 1 Christian Heimes 2018-02-08 18:02:35 UTC 
Err, I confused expected result and actual result.

Actual results:
avc:  denied  { write } for  pid=43643 comm="httpd" name="cert9.db" dev="dm-0" ino=163181 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1

Expected results:
no AVC
Comment 2 Fedora End Of Life 2018-02-20 15:26:59 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle.
Changing version to '28'.
Comment 3 Christian Heimes 2018-02-23 14:29:09 UTC 
The bug is no longer reproducible with freeIPA because freeIPA has replaced mod_nss with mod_ssl. Other users of mod_nss are most likely still affected.
Comment 4 Lukas Vrabec 2018-02-27 14:35:01 UTC 
Kai, 

Do you know whats going on here? 

From Description:
"I suspect that mod_nss or NSS opens the database for writing. Maybe sqlite does some locking? Rob or Kai might know." 

Yes, also think that NSS opens db for writing. Is it really necessary? I don't like idea to allow httpd_t domain to write to cert_t files. 

Thanks,
Lukas.
Comment 5 Christian Heimes 2018-02-27 14:48:08 UTC 
It might be sqlite. The libraries tries to open the file for reading. Here is a simplified example:

$ mkdir /tmp/testdb
$ sqlite3 /tmp/testdb/test.db -line 'create table memos(text, priority INTEGER);'
$ chmod a-w /tmp/testdb/ /tmp/testdb/test.db
$ strace -e file sqlite3 /tmp/testdb/test.db -line 'select * from memos;'
execve("/usr/bin/sqlite3", ["sqlite3", "/tmp/testdb/test.db", "-line", "select * from memos;"], 0x7ffebde06e78 /* 91 vars */) = 0
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libreadline.so.7", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libncurses.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libtinfo.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libm.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
access("/tmp/testdb/test.db", F_OK)     = 0
lstat("/tmp/testdb/test.db", {st_mode=S_IFREG|0444, st_size=8192, ...}) = 0
stat("/tmp/testdb/test.db", {st_mode=S_IFREG|0444, st_size=8192, ...}) = 0
openat(AT_FDCWD, "/tmp/testdb/test.db", O_RDWR|O_CREAT|O_CLOEXEC, 0644) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/tmp/testdb/test.db", O_RDONLY|O_CLOEXEC) = 3
stat("/tmp/testdb/test.db", {st_mode=S_IFREG|0444, st_size=8192, ...}) = 0
open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/lib64/libnss_sss.so.2", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/var/lib/sss/mc/passwd", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/home/heimes/.sqliterc", O_RDONLY) = -1 ENOENT (No such file or directory)
stat("/tmp/testdb/test.db-journal", 0x7ffe2e3e8690) = -1 ENOENT (No such file or directory)
stat("/tmp/testdb/test.db-wal", 0x7ffe2e3e8690) = -1 ENOENT (No such file or directory)
stat("/tmp/testdb/test.db-journal", 0x7ffe2e3e99f0) = -1 ENOENT (No such file or directory)
stat("/tmp/testdb/test.db-wal", 0x7ffe2e3e99f0) = -1 ENOENT (No such file or directory)
stat("/tmp/testdb/test.db", {st_mode=S_IFREG|0444, st_size=8192, ...}) = 0
+++ exited with 0 +++
Comment 6 Christian Heimes 2018-02-27 14:50:32 UTC 
Err, I meant "sqlite first tries to open the db for writing".
Comment 7 Kai Engert (:kaie) (inactive account) 2018-04-13 13:53:33 UTC 
Sorry for the delay. We discovered that NSS never attempts to open the sqlite database in read only mode, even if the application asks for read-only mode.

See the following upstream bug for more details:
https://bugzilla.mozilla.org/show_bug.cgi?id=1449169

We should change NSS to use a newer sqlite API, that will allow the read-only opening, and should avoid changes to selinux.
Comment 8 Kai Engert (:kaie) (inactive account) 2018-04-13 13:54:44 UTC 
We are late in the development cycle for Fedora 28. The final freeze is in 4 days, April 17.

Do you think it's acceptable if we fix this in a regular nss-softokn.rpm update, after the Fedora 28 release?
Comment 9 Christian Heimes 2018-04-16 07:21:58 UTC 
FreeIPA 4.7 no longer uses mod_nss. Therefore we are not affected by the bug any more. I ran into the issue during an early alpha release. Other users of mod_nss are still affected, though. I'm including Rob.

I don't know if it's acceptable to fix the issue after F28 is released. Adam Williamson may know.
Comment 10 Kai Engert (:kaie) (inactive account) 2018-04-16 09:13:33 UTC 
(In reply to Christian Heimes from comment #9)
> I don't know if it's acceptable to fix the issue after F28 is released. Adam
> Williamson may know.
Comment 11 Rob Crittenden 2018-04-16 18:52:23 UTC 
I don't think this would warrant being a blocker. I'm ok with fixing it ASAP once F28 is released.
Comment 12 Adam Williamson 2018-04-16 19:09:17 UTC 
Do we know whether the denial results in mod_nss getting read-only access to the DB, or not getting *any* access?
Comment 13 Rob Crittenden 2018-04-16 19:21:57 UTC 
mod_nss opens the database exclusively read only by passing the NSS_INIT_READONLY to NSS_Initialize. It never opens it read/write.
Comment 14 Adam Williamson 2018-04-16 19:31:53 UTC 
That's what it *tries* to do, but the problem is explained in https://bugzilla.redhat.com/show_bug.cgi?id=1543569#c7 and in more detail in https://bugzilla.mozilla.org/show_bug.cgi?id=1449169 - mod_nss asks NSS to open the database read-only, but NSS does not actually honor that request from mod_nss.

What I'm asking is, when NSS does the wrong thing and hits this denial, does that prevent it accessing the DB entirely, or just mean it works fine (i.e. we get read access) but a meaningless AVC shows up?
Comment 15 Christian Heimes 2018-04-16 19:35:29 UTC 
Unknown, I only tried to run mod_nss in permissive mode and got the AVC.
Comment 16 Kai Engert (:kaie) (inactive account) 2018-04-16 21:11:28 UTC 
NSS/SQLite fall back to read-only opening. So, if read-only access was intended, the app gets what it wants on the automatic fallback performed by SQLIte, after having gotten the denial.
Comment 17 Adam Williamson 2018-04-16 21:40:37 UTC 
OK. So the only real consequence here is the AVC getting generated. That's the info I was looking for, thanks.
Comment 18 Daiki Ueno 2018-07-20 12:04:28 UTC 
Kai, I guess this can be closed now (as upstream fix was landed in 3.37)?
Comment 19 Kai Engert (:kaie) (inactive account) 2018-07-20 12:08:41 UTC 
Sounds good.

Christian, please let us know if you still see a problem.