Bug 1548439

Summary: freeIPA: AVC denials for scontext=gssproxy_t and tcontext=httpd_t
Product: [Fedora] Fedora Reporter: Christian Heimes <cheimes>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: cheimes, dwalsh, lvrabec, mgrepl, plautrba, pmoore, rharwood, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.1-18.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-26 22:31:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
All AVCs related to gssproxy none

Description Christian Heimes 2018-02-23 14:25:59 UTC
Description of problem:
I'm getting multiple SELinux AVCs for gssproxy during installation of latest freeIPA master (4.7-dev)

Version-Release number of selected component (if applicable):
selinux-policy-3.14.1-8.fc28.noarch
freeipa-server-4.6.90.dev201802231329+git0aaee0a97-0.fc28.x86_64
gssproxy-0.8.0-1.fc28.x86_64
httpd-2.4.29-5.fc28.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Build latest freeIPA from git master
2. ipa-server-install
3.

Actual results:
type=AVC msg=audit(1519395012.557:1182): avc:  denied  { sys_ptrace } for  pid=62136 comm="gssproxy" capability=19  scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1

type=AVC msg=audit(1519395012.557:1183): avc:  denied  { read } for  pid=62136 comm="gssproxy" scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file permissive=1

type=AVC msg=audit(1519395012.557:1184): avc:  denied  { getattr } for  pid=62136 comm="gssproxy" path="/usr/sbin/httpd" dev="dm-0" ino=148624 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:httpd_exec_t:s0 tclass=file permissive=1


Expected results:
No AVC

Additional info:

Comment 1 Christian Heimes 2018-02-23 14:31:01 UTC
Created attachment 1399886 [details]
All AVCs related to gssproxy

Comment 2 Lukas Vrabec 2018-03-10 14:17:29 UTC
Christian, 

Is there any possibility that it was built with some debug flags if it from dev branch? 

Lukas.

Comment 3 Christian Heimes 2018-03-13 13:50:37 UTC
It's very well possible. I'll do another test installation by the end of the week and will update the ticket.

Comment 4 Christian Heimes 2018-03-14 14:48:31 UTC
I'm still getting AVC with

mod_auth_gssapi-1.6.0-1.fc28.x86_64
gssproxy-0.8.0-2.fc28.x86_64
selinux-policy-3.14.1-13.fc28.noarch


----
time->Wed Mar 14 15:42:11 2018
type=AVC msg=audit(1521038531.229:385): avc:  denied  { search } for  pid=6257 comm="gssproxy" name="6380" dev="proc" ino=84247 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dir permissive=1
----
time->Wed Mar 14 15:42:11 2018
type=AVC msg=audit(1521038531.229:386): avc:  denied  { getattr } for  pid=6257 comm="gssproxy" path="/proc/6380/exe" dev="proc" ino=83119 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=lnk_file permissive=1
----
time->Wed Mar 14 15:42:11 2018
type=AVC msg=audit(1521038531.229:387): avc:  denied  { read } for  pid=6257 comm="gssproxy" name="exe" dev="proc" ino=83119 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=lnk_file permissive=1
----
time->Wed Mar 14 15:42:11 2018
type=AVC msg=audit(1521038531.229:388): avc:  denied  { read } for  pid=6257 comm="gssproxy" scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file permissive=1
----
time->Wed Mar 14 15:42:11 2018
type=AVC msg=audit(1521038531.229:384): avc:  denied  { getattr } for  pid=6257 comm="gssproxy" path="/proc/6380" dev="proc" ino=84247 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dir permissive=1
----
time->Wed Mar 14 15:42:11 2018
type=AVC msg=audit(1521038531.230:389): avc:  denied  { getattr } for  pid=6257 comm="gssproxy" path="/usr/sbin/httpd" dev="dm-0" ino=172160 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:httpd_exec_t:s0 tclass=file permissive=1

Comment 5 Fedora Update System 2018-03-25 13:12:22 UTC
selinux-policy-3.14.1-17.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b8cb71b345

Comment 6 Fedora Update System 2018-03-25 20:32:59 UTC
selinux-policy-3.14.1-17.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b8cb71b345

Comment 7 Fedora Update System 2018-03-26 21:51:02 UTC
selinux-policy-3.14.1-18.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-7821b2e7c4

Comment 8 Fedora Update System 2018-03-26 22:31:31 UTC
selinux-policy-3.14.1-18.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.