Bug 1782896

Summary: New sepolicy needed to allow RHDS to use keyring to retrieve starting password
Product: Red Hat Enterprise Linux 8 Reporter: thierry bordaz <tbordaz>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.1CC: lvrabec, mmalik, plautrba, ssekidde, vashirov
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-11 09:33:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1638875    

Description thierry bordaz 2019-12-12 15:34:50 UTC 
Description of problem:
The RFE https://bugzilla.redhat.com/show_bug.cgi?id=1638875 changes the way RHDS retrieves its starting password. This password being used to access the NSS database to retrieve keys/ca.

RHDS, started by systemd, search/read keyring. Search is allowed but read fails with an AVC. A new selinux policy is needed to grant read access. 


Version-Release number of selected component (if applicable):


How reproducible:
To be tested it requires a RHDS build containing the RFE https://bugzilla.redhat.com/show_bug.cgi?id=1638875

With this RFE, AVC is systematic


Steps to Reproduce:
1. dscreate create-template > template-file
2. dscreate from-file template-file


Actual results:
it triggers an AVC. 
RHDS starts without secure port/starttls


Expected results:
RHDS should start without AVC


Additional info:
Comment 1 thierry bordaz 2019-12-12 16:05:11 UTC 
Test in permissive mode

prompt> setenforce 0
prompt> dscreate create-template | sed -e 's/;start.*$/;start = False/' -e 's/;root_password.*$/;root_password = Secret123/' -e 's/^;suffix.*$/;suffix = dc=example,dc=com/' -e 's/^;create_suffix_entry.*/;create_suffix_entry = True/' > /tmp/template
prompt> dscreate from-file /tmp/template
prompt> audit2allow -w -a
 --> empty

# This will force ns-slapd to read password from keyring
prompt> mv /etc/dirsrv/slapd-localhost/pin.txt /etc/dirsrv/slapd-localhost/pin.txt.sav

# stars are taken from copy/paste pin.txt.sav
prompt> systemctl restart dirsrv
prompt> [localhost] Please provide the password for cert/key Database: *****************************************************************

audit2allow -w -a

type=AVC msg=audit(1576166169.584:534): avc:  denied  { read } for  pid=18536 comm="ns-slapd" scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.
audit2allow -a


#============= dirsrv_t ==============
allow dirsrv_t unconfined_service_t:key read;

# RHDS started with secure port
prompt> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-localhost/ ldapsearch -x -H ldaps://localhost:636 -D "cn=directory manager" -w Directory_Manager_Password -LLL -b "" -s base
dn:
objectClass: top
netscapemdsuffix: cn=ldap://dc=host-10-0-138-127:389
Comment 2 thierry bordaz 2019-12-12 16:28:30 UTC 
Test in enforcing mode

prompt> setenforce 0
prompt> dscreate create-template | sed -e 's/;start.*$/;start = False/' -e 's/;root_password.*$/;root_password = Secret123/' -e 's/^;suffix.*$/;suffix = dc=example,dc=com/' -e 's/^;create_suffix_entry.*/;create_suffix_entry = True/' > /tmp/template
prompt> dscreate from-file /tmp/template
prompt> audit2allow -w -a
 --> empty

# This will force ns-slapd to read password from keyring
prompt> mv /etc/dirsrv/slapd-localhost/pin.txt /etc/dirsrv/slapd-localhost/pin.txt.sav

# stars are taken from copy/paste pin.txt.sav
prompt> systemctl restart dirsrv
prompt> [localhost] Please provide the password for cert/key Database: *****************************************************************

prompt> audit2allow -w -a

type=AVC msg=audit(1576167175.005:550): avc:  denied  { read } for  pid=18898 comm="ns-slapd" scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

prompt> audit2allow  -a


#============= dirsrv_t ==============
allow dirsrv_t unconfined_service_t:key read;
Comment 3 thierry bordaz 2019-12-12 16:33:15 UTC 
Enforcing

# import a selinux module allowing key read
prompt> grep avc /var/log/audit/audit.log > ./avc
prompt> audit2allow -i ./avc -M dirsrv_sepolicy
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i dirsrv_sepolicy.pp
prompt> cat dirsrv_sepolicy.te

module dirsrv_sepolicy 1.0;

require {
	type dirsrv_t;
	type unconfined_service_t;
	class key read;
}

#============= dirsrv_t ==============
allow dirsrv_t unconfined_service_t:key read;
prompt> semodule -i dirsrv_sepolicy.pp


prompt> dscreate create-template | sed -e 's/;start.*$/;start = False/' -e 's/;root_password.*$/;root_password = Secret123/' -e 's/^;suffix.*$/;suffix = dc=example,dc=com/' -e 's/^;create_suffix_entry.*/;create_suffix_entry = True/' > /tmp/template
prompt> dscreate from-file /tmp/template
prompt> audit2allow -w -a
 --> empty

# This will force ns-slapd to read password from keyring
prompt> mv /etc/dirsrv/slapd-localhost/pin.txt /etc/dirsrv/slapd-localhost/pin.txt.sav

# stars are taken from copy/paste pin.txt.sav
prompt> systemctl restart dirsrv
prompt> [localhost] Please provide the password for cert/key Database: *****************************************************************


prompt> audit2allow -w -a
 --> empty
Comment 4 thierry bordaz 2019-12-12 16:37:23 UTC 
Version of selinux policy: 3.14.3-46

libselinux-debugsource-2.9-3.1.fc30.x86_64
libselinux-devel-2.9-3.1.fc30.x86_64
rpm-plugin-selinux-4.14.2.1-5.fc30.x86_64
python3-libselinux-2.9-3.1.fc30.x86_64
libselinux-debuginfo-2.9-3.1.fc30.x86_64
libselinux-utils-2.9-3.1.fc30.x86_64
selinux-policy-3.14.3-46.fc30.noarch
selinux-policy-targeted-3.14.3-46.fc30.noarch
libselinux-2.9-3.1.fc30.x86_64
Comment 8 Zdenek Pytela 2020-06-04 15:55:03 UTC 
Hi,

Can you share with us the current status of this request? Is this bug still targeting RHEL 8.3?
Comment 9 thierry bordaz 2020-06-04 17:08:00 UTC 
The related DS ticket is not planed for 8.3. Hopefully it will be in 8.4
Comment 10 Zdenek Pytela 2020-06-05 06:48:33 UTC 
Thank you for the update. Please let us know in early phase of RHEL 8.4 planning if possible so that we can adjust the policy in advance for proper testing.
Comment 12 Zdenek Pytela 2020-12-01 17:36:25 UTC 
(In reply to thierry bordaz from comment #9)
> The related DS ticket is not planed for 8.3. Hopefully it will be in 8.4

Hi,

Could you please let us know the current status?
Comment 13 thierry bordaz 2020-12-01 18:02:55 UTC 
Hi, This bug fix is not planed for 8.4.
Upstream ticket https://pagure.io/389-ds-base/issue/50794,  that requires this bug fix, is not a priority.
I suggest to close it (WILLNOTFIX). We will reopen it as soon as #50794 will be targeted for a release.
Comment 14 Zdenek Pytela 2020-12-11 09:33:29 UTC 
Hi,

Based on your last reply I am closing the bugzilla. Feel free to reopen it as soon as it is required.