Bug 1759900

Summary: ipa-ods-exporter AVC for /var/kerberos/krb5
Product: Red Hat Enterprise Linux 8 Reporter: Lukas Vrabec <lvrabec>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.2CC: cheimes, dwalsh, extras-qa, lvrabec, mgrepl, mmalik, plautrba, ssekidde, sumenon, zpytela
Target Milestone: rcKeywords: Patch
Target Release: 8.2   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1759884 Environment:
Last Closed: 2020-04-28 16:41:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1759884    
Bug Blocks:    

Description Lukas Vrabec 2019-10-09 11:36:55 UTC 
+++ This bug was initially created as a clone of Bug #1759884 +++

Description of problem:
FreeIPA's DNSSEC helper ipa-ods-exporter from freeipa-server-dns causes AVCs. The target context is krb5_keytab_t for directory /var/kerberos/krb5. That's the place MIT Kerberos / GSSAPI is looking for client keytabs. ipa-ods-exporter does not use client keytabs from this location. The AVC can be silenced.

Version-Release number of selected component (if applicable):
freeipa-server-dns-4.8.1-3

How reproducible:
always

Steps to Reproduce:
1. Install FreeIPA master with DNSSEC support
2.
3.

Actual results:
time->Wed Oct  9 06:08:14 2019
type=AVC msg=audit(1570615694.460:938): avc:  denied  { search } for  pid=20148 comm="ipa-ods-exporte" name="krb5" dev="vda1" ino=1014 scontext=system_u:system_r:ipa_ods_exporter_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0

Expected results:
No AVC

Additional info:
inode 1041 on vda1 is /var/kerberos/krb5:

# stat /var/kerberos/krb5
  File: /var/kerberos/krb5
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: fc01h/64513d    Inode: 1014        Links: 3

--- Additional comment from Lukas Vrabec on 2019-10-09 13:35:51 CEST ---

Fixed in Fedora 29+

commit 8554a928896a7aa5ba2843d1fb3dd5c59a964028 (HEAD -> f29, origin/f29)
Author: Lukas Vrabec <lvrabec>
Date:   Wed Oct 9 13:34:52 2019 +0200

    Allow ipa_ods_exporter_t domain to read krb5_keytab files BZ(1759884)
Comment 6 errata-xmlrpc 2020-04-28 16:41:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1773
Comment 7 Zdenek Pytela 2020-05-20 15:20:14 UTC 
*** Bug 1780086 has been marked as a duplicate of this bug. ***