Bug 1543576

Summary: freeIPA: AVC denial for write to KRB5 KDC DEFAULT.socket
Product: [Fedora] Fedora Reporter: Christian Heimes <cheimes>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: dwalsh, lvrabec, mgrepl, plautrba, pmoore, rharwood, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.1-14.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-18 00:52:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christian Heimes 2018-02-08 18:11:27 UTC 
Description of problem:
During installation of freeIPA and every time I restart ipa-otpd.socket, I'm getting an AVC for /run/krb5kdc/DEFAULT.socket

Version-Release number of selected component (if applicable):
selinux-policy-3.14.1-7.fc28.noarch
freeipa-server-4.6.90.dev201802081725+gitbbda914e8-0.fc28.x86_64
krb5-server-1.16-4.x86_64

How reproducible:
always

Steps to Reproduce:
1. run ipa-server-install (currently needs special build with rawhide fixes)
2. systemctl restart ipa-otpd.socket

Actual results:
avc:  denied  { write } for  pid=1 comm="systemd" name="DEFAULT.socket" dev="tmpfs" ino=191528 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:krb5kdc_var_run_t:s0 tclass=sock_file permissive=1

Expected results:
no AVC

Additional info:
ipa-otpd.socket creates the socket:

# cat /usr/lib/systemd/system/ipa-otpd.socket
[Unit]
Description=ipa-otpd socket

[Socket]
ListenStream=/var/run/krb5kdc/DEFAULT.socket
RemoveOnStop=true
SocketMode=0600
Accept=true

[Install]
WantedBy=krb5kdc.service
Comment 1 Christian Heimes 2018-02-08 18:31:59 UTC 
I'm also getting a very similar AVC for freeIPA's DNSSEC support:

avc:  denied  { write } for  pid=1 comm="systemd" name="engine.sock" dev="tmpfs" ino=229583 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:opendnssec_var_run_t:s0 tclass=sock_file permissive=1

# cat /usr/lib/systemd/system/ipa-ods-exporter.socket
[Socket]
ListenStream=/var/run/opendnssec/engine.sock

[Install]
WantedBy=sockets.target
Comment 2 Fedora End Of Life 2018-02-20 15:27:03 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle.
Changing version to '28'.
Comment 3 Christian Heimes 2018-02-23 14:30:10 UTC 
The AVC is still reproducible with selinux-policy-3.14.1-8.fc28.noarch and 
freeipa-server-4.6.90.dev201802231329+git0aaee0a97-0.fc28.x86_64 on latest F28.

time->Fri Feb 23 15:04:48 2018
type=AVC msg=audit(1519394688.802:1005): avc:  denied  { write } for  pid=1 comm="systemd" name="DEFAULT.socket" dev="tmpfs" ino=187168 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:krb5kdc_var_run_t:s0 tclass=sock_file permissive=1
Comment 4 Fedora Update System 2018-03-12 18:25:59 UTC 
selinux-policy-3.14.1-13.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc
Comment 5 Fedora Update System 2018-03-13 15:09:41 UTC 
selinux-policy-3.14.1-13.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc
Comment 6 Fedora Update System 2018-03-15 21:23:44 UTC 
selinux-policy-3.14.1-14.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc
Comment 7 Fedora Update System 2018-03-16 14:42:13 UTC 
selinux-policy-3.14.1-14.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc
Comment 8 Fedora Update System 2018-03-18 00:52:42 UTC 
selinux-policy-3.14.1-14.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.