Bug 1559677

Summary: SELinux denials for FreeIPA in Fedora 28
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: selinux-policy-targetedAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 28CC: dwalsh, gmarr
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: AcceptedFreezeException
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-26 22:31:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1469205    

Description Adam Williamson 2018-03-23 01:49:13 UTC 
In testing of FreeIPA on Fedora 28, the following SELinux denials are seen:

----
time->Thu Mar 22 18:16:03 2018
type=AVC msg=audit(1521756963.093:152): avc:  denied  { map } for  pid=17159 comm="java" path="/tmp/hsperfdata_pkiuser/17159" dev="tmpfs" ino=339175 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_tmp_t:s0 tclass=file permissive=0
----
time->Thu Mar 22 18:16:28 2018
type=AVC msg=audit(1521756988.533:164): avc:  denied  { getattr } for  pid=17591 comm="gssproxy" path="/proc/17618" dev="proc" ino=341800 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dir permissive=0
----
time->Thu Mar 22 18:17:14 2018
type=AVC msg=audit(1521757034.445:180): avc:  denied  { map } for  pid=18441 comm="java" path="/tmp/hsperfdata_pkiuser/18441" dev="tmpfs" ino=346884 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_tmp_t:s0 tclass=file permissive=0
----
time->Thu Mar 22 18:18:12 2018
type=AVC msg=audit(1521757092.225:196): avc:  denied  { map } for  pid=18940 comm="java" path="/tmp/hsperfdata_pkiuser/18940" dev="tmpfs" ino=352009 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_tmp_t:s0 tclass=file permissive=0
----
time->Thu Mar 22 18:18:27 2018
type=AVC msg=audit(1521757107.891:204): avc:  denied  { getattr } for  pid=17591 comm="gssproxy" path="/proc/19138" dev="proc" ino=355578 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dir permissive=0
----
time->Thu Mar 22 18:20:43 2018
type=AVC msg=audit(1521757243.481:100): avc:  denied  { getattr } for  pid=785 comm="gssproxy" path="/proc/800" dev="proc" ino=23814 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssd_t:s0 tclass=dir permissive=0
----
time->Thu Mar 22 18:20:53 2018
type=AVC msg=audit(1521757253.818:189): avc:  denied  { getattr } for  pid=785 comm="gssproxy" path="/proc/1426" dev="proc" ino=29955 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dir permissive=0
----
time->Thu Mar 22 18:21:01 2018
type=AVC msg=audit(1521757261.950:208): avc:  denied  { map } for  pid=1931 comm="java" path="/tmp/hsperfdata_pkiuser/1931" dev="tmpfs" ino=32077 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_tmp_t:s0 tclass=file permissive=0

None of these leads to an obvious failure in the tests, but of course they could be affecting non-tested functionality, or have a subtle effect. The gssproxy one at least seems related to error messages from gssproxy:

Mar 22 15:18:27 ipa001.domain.local audit[17591]: AVC avc:  denied  { getattr } for  pid=17591 comm="gssproxy" path="/proc/19138" dev="proc" ino=355578 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dir permissive=0
Mar 22 15:18:27 ipa001.domain.local gssproxy[17590]: gssproxy[17591]: Unexpected failure in realpath: 13 (Permission denied)
Mar 22 15:18:27 ipa001.domain.local gssproxy[17591]: Unexpected failure in realpath: 13 (Permission denied)

The Java ones appear to happen on certificate import, though no obvious errors are shown:

Mar 22 15:16:02 ipa001.domain.local pkidaemon[17013]: Exporting SSL server certificate and key into keystore.
Mar 22 15:16:03 ipa001.domain.local audit[17159]: AVC avc:  denied  { map } for  pid=17159 comm="java" path="/tmp/hsperfdata_pkiuser/17159" dev="tmpfs" ino=339175 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_tmp_t:s0 tclass=file permissive=0
Mar 22 15:16:03 ipa001.domain.local pkidaemon[17013]: ----------------------------------------------
Mar 22 15:16:03 ipa001.domain.local pkidaemon[17013]: Imported certificate "Server-Cert cert-pki-ca"
Mar 22 15:16:03 ipa001.domain.local pkidaemon[17013]: ----------------------------------------------

Proposing as a freeze exception issue for Beta, it'd be nice to clean these up for the release.
Comment 1 Fedora Update System 2018-03-26 17:31:35 UTC 
selinux-policy-3.14.1-17.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b8cb71b345
Comment 2 Geoffrey Marr 2018-03-26 18:56:19 UTC 
Discussed during the 2018-03-26 blocker review meeting: [1]

The decision to classify this bug as an AcceptedFreezeException was made as it's desirable to avoid SELinux denials to a blocker path function (FreeIPA server), and SELinux policy easing is a very safe activity.

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2018-03-26/f28-blocker-review.2018-03-26-16.01.txt
Comment 3 Fedora Update System 2018-03-26 21:50:09 UTC 
selinux-policy-3.14.1-18.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-7821b2e7c4
Comment 4 Fedora Update System 2018-03-26 22:31:01 UTC 
selinux-policy-3.14.1-18.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.