Bug 1797102

Summary:	SELinux is preventing ipa-custodia from 'create' accesses on the netlink_route_socket labeled ipa_custodia_t.
Product:	[Fedora] Fedora	Reporter:	James <james>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	medium
Version:	31	CC:	dwalsh, grepl.miroslav, lvrabec, plautrba, vmojzis, zpytela
Target Milestone:	---	Keywords:	Triaged
Target Release:	---
Hardware:	x86_64
OS:	Unspecified
Whiteboard:	abrt_hash:a290be5fed2b4a48029e330cf275c58ed5e6b36bc4d01487b872695500600655;VARIANT_ID=server;
Fixed In Version:	selinux-policy-3.14.4-47.fc31	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-02-09 01:31:52 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description James 2020-01-31 21:53:48 UTC

Description of problem:
SELinux is preventing ipa-custodia from 'create' accesses on the netlink_route_socket labeled ipa_custodia_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that ipa-custodia should be allowed create access on netlink_route_socket labeled ipa_custodia_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ipa-custodia' --raw | audit2allow -M my-ipacustodia
# semodule -X 300 -i my-ipacustodia.pp

Additional Information:
Source Context                system_u:system_r:ipa_custodia_t:s0
Target Context                system_u:system_r:ipa_custodia_t:s0
Target Objects                Unknown [ netlink_route_socket ]
Source                        ipa-custodia
Source Path                   ipa-custodia
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.4-44.fc31.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.4.14-200.fc31.x86_64 #1 SMP Thu
                              Jan 23 13:06:12 UTC 2020 x86_64 x86_64
Alert Count                   42
First Seen                    2019-12-18 17:47:34 GMT
Last Seen                     2020-01-31 21:46:10 GMT
Local ID                      14f2f3a9-da1f-4e70-8dfd-2aaa5b11ce0d

Raw Audit Messages
type=AVC msg=audit(1580507170.393:210): avc:  denied  { create } for  pid=1495 comm="ipa-custodia" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=netlink_route_socket permissive=0


Hash: ipa-custodia,ipa_custodia_t,ipa_custodia_t,netlink_route_socket,create

Version-Release number of selected component:
selinux-policy-3.14.4-44.fc31.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.11.3
hashmarkername: setroubleshoot
kernel:         5.4.14-200.fc31.x86_64
type:           libreport

Comment 1 Zdenek Pytela 2020-02-03 16:42:39 UTC

Hi James,

Thank you for reporting the issue. Please help us with isolating the issue answering the following questions:
 
- Have you made any changes to your configuration?
- Have you noticed if it started to happen with the freeipa package update?
- Did it happen at some particular circumstance, like time or action?
- Are there any other clear steps to reproduce this issue?
- Apart from the denials, did you observe any drawback in functionality?
- Did it happen together with bz#1797100?

Comment 2 James 2020-02-03 19:12:16 UTC

(In reply to Zdenek Pytela from comment #1)
> Hi James,
> 
> Thank you for reporting the issue. Please help us with isolating the issue
> answering the following questions:
>  
> - Have you made any changes to your configuration?
> - Have you noticed if it started to happen with the freeipa package update?
> - Did it happen at some particular circumstance, like time or action?
> - Are there any other clear steps to reproduce this issue?
> - Apart from the denials, did you observe any drawback in functionality?
> - Did it happen together with bz#1797100?

This FreeIPA installation has been going for a while probably dates back a few years now. I think these SELinux denials started around the upgrade from F30 to F31; I can't remember what change in freeipa that was, I'll have to dig deeper into the logs.

Following that system upgrade, FreeIPA restarted with no apparent loss of functionality hence I didn't do an autorelabel. (In the past things like the web interface have fallen over after upgrade requiring a relabel, but not this time.)

The denial happens whenever the machines restarts. Persists after a forced autorelabel.

Current version: freeipa-server-4.8.4-2.fc31.x86_64

I think it did start with bz#1797100.

I wish I could provide more detailed info than this; as mentioned this hasn't caused any apparent loss of functionality so I just left it, but I thought it best to report this anyway.

Comment 4 Zdenek Pytela 2020-02-05 09:34:18 UTC

James,

Thank you for your reply. There does not seem to be any issue with allowing this particular permissions, I was just curious if it happens right after installation or rather with some particular configuration change, or if it is a result of updating ipa or a library it uses which could possibly help with other issues like this.

I've submitted a PR to address the issue:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/199

Comment 5 Lukas Vrabec 2020-02-05 11:32:01 UTC

commit b1751347f4af99de8c88630e2f8d0a352d7f5937 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date:   Wed Feb 5 10:21:27 2020 +0100

    Allow ipa_custodia_t create and use netlink_route_socket sockets.
    
    Resolves: rhbz#1797102

Comment 6 Fedora Update System 2020-02-07 13:00:17 UTC

FEDORA-2020-07bb9bdfaa has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-07bb9bdfaa

Comment 7 Fedora Update System 2020-02-08 02:10:14 UTC

selinux-policy-3.14.4-47.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-07bb9bdfaa

Comment 8 Fedora Update System 2020-02-09 01:31:52 UTC

selinux-policy-3.14.4-47.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.