Bug 1574537

Summary: svnserve cannot contact saslauthd service
Product: Red Hat Enterprise Linux 7 Reporter: Renaud Métrich <rmetrich>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.5CC: lvrabec, mgrepl, mmalik, plautrba, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-199.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1574671 (view as bug list) Environment:
Last Closed: 2018-10-30 10:03:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2018-05-03 13:58:54 UTC 
Description of problem:

When using SASL authentication with svnserve, we can see that attempts to contact saslauthd fail with the following AVC:

# ausearch -ts recent -m avc
----
time->Thu May  3 15:48:17 2018
type=SYSCALL msg=audit(1525355297.711:173): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7ffcf3adbbc0 a2=6e a3=21 items=0 ppid=3986 pid=4009 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="svnserve" exe="/usr/bin/svnserve" subj=system_u:system_r:svnserve_t:s0 key=(null)
type=AVC msg=audit(1525355297.711:173): avc:  denied  { connectto } for  pid=4009 comm="svnserve" path="/run/saslauthd/mux" scontext=system_u:system_r:svnserve_t:s0 tcontext=system_u:system_r:saslauthd_t:s0 tclass=unix_stream_socket


This looks odd to me since there is a SELinux rule to allow that:

# sesearch -A -s svnserve_t -t saslauthd_t
Found 3 semantic av rules:
   allow domain domain : key { search link } ; 
   allow domain domain : fd use ; 
   allow daemon daemon : unix_stream_socket connectto ; 


Version-Release number of selected component (if applicable):

(RHEL7.5)
selinux-policy-3.13.1-192.el7_5.3.noarch
cyrus-sasl-2.1.26-23.el7.x86_64
subversion-1.7.14-14.el7.x86_64


How reproducible:

Always

Steps to Reproduce:
1. Install subversion and cyrus-sasl

# yum -y install subversion cyrus-sasl-*

2. Configure subversion to use SASL

# mkdir /var/svn; svnadmin create /var/svn/proj; restorecon -R /var/svn
# cat /var/svn/proj/conf/svnserve.conf
[sasl]
use-sasl = true

# cat /etc/sasl2/svn.conf 
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

3. Use svn cli

# svn list -v svn://localhost/proj --username rmetrich
Authentication realm: <svn://localhost:3690> f8e4fb61-99ed-4836-8b7f-e2255581ce72
Password for 'rmetrich': FOO (type something, we don't care)
^C


Actual results:

# ausearch -ts recent -m avc
----
time->Thu May  3 15:57:30 2018
type=SYSCALL msg=audit(1525355850.545:177): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7ffd11d77860 a2=6e a3=7ffd11d77220 items=0 ppid=4362 pid=4442 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="svnserve" exe="/usr/bin/svnserve" subj=system_u:system_r:svnserve_t:s0 key=(null)
type=AVC msg=audit(1525355850.545:177): avc:  denied  { connectto } for  pid=4442 comm="svnserve" path="/run/saslauthd/mux" scontext=system_u:system_r:svnserve_t:s0 tcontext=system_u:system_r:saslauthd_t:s0 tclass=unix_stream_socket
Comment 2 Milos Malik 2018-05-03 14:14:37 UTC 
Thanks for the scenario, Renaud.

Caught in enforcing mode:
----
type=PROCTITLE msg=audit(05/03/2018 10:10:17.963:397) : proctitle=/usr/bin/svnserve --daemon --pid-file=/run/svnserve/svnserve.pid -r /var/svn 
type=PATH msg=audit(05/03/2018 10:10:17.963:397) : item=0 name=/run/saslauthd/mux inode=104850 dev=00:14 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:saslauthd_var_run_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(05/03/2018 10:10:17.963:397) :  cwd=/ 
type=SOCKADDR msg=audit(05/03/2018 10:10:17.963:397) : saddr={ fam=local path=/run/saslauthd/mux } 
type=SYSCALL msg=audit(05/03/2018 10:10:17.963:397) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7ffd14c7a810 a2=0x6e a3=0x7ffd14c7a220 items=1 ppid=10267 pid=10270 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=svnserve exe=/usr/bin/svnserve subj=system_u:system_r:svnserve_t:s0 key=(null) 
type=AVC msg=audit(05/03/2018 10:10:17.963:397) : avc:  denied  { connectto } for  pid=10270 comm=svnserve path=/run/saslauthd/mux scontext=system_u:system_r:svnserve_t:s0 tcontext=system_u:system_r:saslauthd_t:s0 tclass=unix_stream_socket
----

Caught in permissive mode:
----
type=PROCTITLE msg=audit(05/03/2018 10:11:24.145:400) : proctitle=/usr/bin/svnserve --daemon --pid-file=/run/svnserve/svnserve.pid -r /var/svn 
type=PATH msg=audit(05/03/2018 10:11:24.145:400) : item=0 name=/run/saslauthd/mux inode=104850 dev=00:14 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:saslauthd_var_run_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(05/03/2018 10:11:24.145:400) :  cwd=/ 
type=SOCKADDR msg=audit(05/03/2018 10:11:24.145:400) : saddr={ fam=local path=/run/saslauthd/mux } 
type=SYSCALL msg=audit(05/03/2018 10:11:24.145:400) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x3 a1=0x7ffd14c7a810 a2=0x6e a3=0x7ffd14c7a220 items=1 ppid=10267 pid=10276 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=svnserve exe=/usr/bin/svnserve subj=system_u:system_r:svnserve_t:s0 key=(null) 
type=AVC msg=audit(05/03/2018 10:11:24.145:400) : avc:  denied  { connectto } for  pid=10276 comm=svnserve path=/run/saslauthd/mux scontext=system_u:system_r:svnserve_t:s0 tcontext=system_u:system_r:saslauthd_t:s0 tclass=unix_stream_socket
----
Comment 3 Milos Malik 2018-05-03 15:03:02 UTC 
For QE purposes:
Successful authentication via svn CLI requires following operation to be done first:
# ln -s /etc/pam.d/login /etc/pam.d/svn
Comment 8 errata-xmlrpc 2018-10-30 10:03:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111