Bug 1609477

Summary: SELinux is preventing /usr/sbin/httpd from write access on the directory /etc/httpd/alias/
Product: [Fedora] Fedora Reporter: Lukas Slebodnik <lslebodn>
Component: freeipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: abokovoy, awilliam, dwalsh, frenaud, ipa-maint, jcholast, jhrozek, lslebodn, lvrabec, mgrepl, plautrba, pvoborni, rcritten, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-12 20:02:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Slebodnik 2018-07-28 09:19:18 UTC 
SELinux is preventing /usr/sbin/httpd from write access on the directory /etc/httpd/alias/.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/etc/httpd/alias/ default label should be cert_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /etc/httpd/alias/

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that httpd should be allowed write access on the  directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -X 300 -i my-httpd.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:httpd_config_t:s0
Target Objects                /etc/httpd/alias/ [ dir ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          host.example.test
Source RPM Packages           httpd-2.4.34-3.fc28.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-32.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host.example.test
Platform                      Linux host.example.test 4.17.9-200.fc28.x86_64 #1
                              SMP Mon Jul 23 21:41:29 UTC 2018 x86_64 x86_64
Alert Count                   12
First Seen                    2018-07-28 04:29:12 EDT
Last Seen                     2018-07-28 04:31:02 EDT
Local ID                      3c279d02-7842-42b0-848e-fc8fb766be4d

Raw Audit Messages
type=AVC msg=audit(1532766662.216:613): avc:  denied  { write } for  pid=31744 comm="httpd" name="alias" dev="dm-0" ino=554522 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=0


type=SYSCALL msg=audit(1532766662.216:613): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=558a0dae3ea5 a2=800c1 a3=180 items=1 ppid=1 pid=31744 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

type=CWD msg=audit(1532766662.216:613): cwd=/

type=PATH msg=audit(1532766662.216:613): item=0 name=/etc/httpd/alias/ inode=554522 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:httpd_config_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

Hash: httpd,httpd_t,httpd_config_t,dir,write
Comment 1 Lukas Slebodnik 2018-07-28 09:21:45 UTC 
The directory /etc/httpd/alias/ does not exist after installation of freeIPA server related packages and it is not owned by any package. I assume it was created by freeIPA but with wrong SELinux context.

sh# rpm -qf /etc/httpd/alias/
file /etc/httpd/alias is not owned by any package

sh# ls -ldZ /etc/httpd/alias/
drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0 6 Jul 28 04:29 /etc/httpd/alias/
sh# matchpathcon /etc/httpd/alias/
/etc/httpd/alias        system_u:object_r:cert_t:s0
Comment 2 Rob Crittenden 2018-07-30 02:31:34 UTC 
I assume you see this on an install?

I wonder if it is seeing if there are certs/keys to migrate.
Comment 3 Lukas Slebodnik 2018-07-30 07:25:50 UTC 
It was clean installation. So I have no idea what should be migrated. You should know code better :-)
Comment 4 Alexander Bokovoy 2018-07-30 07:37:58 UTC 
We need a place to store a session key used by mod_auth_gssapi. Previously we stored it in /etc/httpd/alias and it was allowed by SELinux rules. As we no longer install mod_nss, we create /etc/httpd/alias ourselves, as per ticket https://pagure.io/freeipa/issue/7529. 

However, I think we aren't restoring SELinux context on it.

The commit message for a fix of issue 7529 says:

commit 49b4a057f1b0459331bcec2c8d760627d00e4571
Author: Christian Heimes <cheimes>
Date:   Fri May 4 10:47:00 2018 +0200

    Create missing /etc/httpd/alias for ipasession.key
    
    The director /etc/httpd/alias was created by mod_nss. Since FreeIPA no
    longer depends on mod_nss, the directory is no longer created on fresh
    systems.
    
    Note: At first I wanted to move the file to /var/lib/ipa/private/ or
    /var/lib/httpd/. SELinux prevents write of httpd_t to ipa_var_lib_t. I'm
    going to move the file after a new SELinux policy is available.
    
    See: https://pagure.io/freeipa/issue/7529
    Signed-off-by: Christian Heimes <cheimes>
    Reviewed-By: Rob Crittenden <rcritten>


So first we need a new policy that allows httpd_t to write to ipa_var_lib_t to drop alias part completely.
Comment 5 Lukas Slebodnik 2018-07-30 11:31:43 UTC 
(In reply to Alexander Bokovoy from comment #4)
> So first we need a new policy that allows httpd_t to write to ipa_var_lib_t
> to drop alias part completely.

NO,

ipa_var_lib_t is very general.
And it already works for for /etc/httpd/alias with right selinux context (cert_t instead of httpd_config_t). And there are already many places which has label cert_t if you do not want /etc/httpd/alias

sh# semanage fcontext -l | grep system_u:object_r:cert_t
/etc/(letsencrypt|certbot)/(live|archive)(/.*)?    all files          system_u:object_r:cert_t:s0 
/etc/docker/certs\.d(/.*)?                         all files          system_u:object_r:cert_t:s0 
/etc/httpd/alias(/.*)?                             all files          system_u:object_r:cert_t:s0 
/etc/ipa/nssdb(/.*)?                               all files          system_u:object_r:cert_t:s0 
/etc/pki(/.*)?                                     all files          system_u:object_r:cert_t:s0 
/etc/ssl(/.*)?                                     all files          system_u:object_r:cert_t:s0 
/usr/share/ca-certificates(/.*)?                   all files          system_u:object_r:cert_t:s0 
/usr/share/pki/ca-certificates(/.*)?               all files          system_u:object_r:cert_t:s0 
/usr/share/pki/ca-trust-source(/.*)?               all files          system_u:object_r:cert_t:s0 
/usr/share/ssl/certs(/.*)?                         all files          system_u:object_r:cert_t:s0 
/usr/share/ssl/private(/.*)?                       all files          system_u:object_r:cert_t:s0 
/var/lib/letsencrypt(/.*)?                         all files          system_u:object_r:cert_t:s0 
/var/named/chroot/etc/pki(/.*)?                    all files          system_u:object_r:cert_t:s0
Comment 6 Adam Williamson 2018-07-31 21:05:02 UTC 
Can we have freeipa restore the context on /etc/httpd/alias when it creates it, then, for now? These AVCs show up on every deployment test, I think.
Comment 7 Lukas Slebodnik 2018-07-31 21:12:40 UTC 
(In reply to Adam Williamson from comment #6)
> Can we have freeipa restore the context on /etc/httpd/alias when it creates
> it, then, for now? These AVCs show up on every deployment test, I think.

BTW, installation of master, replica and client passed for me even with dontaudit rules. But running restorecon is propee quickfix.
Comment 8 Alexander Bokovoy 2018-08-01 07:49:20 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7662
Comment 9 Rob Crittenden 2018-08-03 18:09:24 UTC 
master:

    f751697 httpinstance: Restore SELinux context of session_dir /etc/httpd/alias
    354d729 ipa_restore: Restore SELinux context of template_dir /var/log/dirsrv/slapd-X
Comment 10 Lukas Slebodnik 2018-08-23 07:07:24 UTC 
(In reply to Rob Crittenden from comment #9)
> master:
> 
>     f751697 httpinstance: Restore SELinux context of session_dir
> /etc/httpd/alias
>     354d729 ipa_restore: Restore SELinux context of template_dir
> /var/log/dirsrv/slapd-X

Is there an ETA for fixing this in fedora? It would be good to reduce unnecessary AVC noise?
Comment 11 Florence Blanc-Renaud 2018-10-08 08:37:15 UTC 
freeipa 4.7.1 has just been released and contains the fix:
https://www.freeipa.org/page/Releases/4.7.1
Comment 12 Lukas Slebodnik 2018-10-12 18:44:08 UTC 
(In reply to Florence Blanc-Renaud from comment #11)
> freeipa 4.7.1 has just been released and contains the fix:
> https://www.freeipa.org/page/Releases/4.7.1

I would say it was fixed also in freeipa-4.7.0-3.fc28

https://bodhi.fedoraproject.org/updates/FEDORA-2018-e407241b53

Just nobody added this BZ to that bodhi update.
Comment 13 Adam Williamson 2018-10-12 20:02:36 UTC 
Indeed, I just checked the logs from a recent F28 FreeIPA deployment test in openQA and don't see these denials any more. Thanks.