Bug 1797102
Summary: | SELinux is preventing ipa-custodia from 'create' accesses on the netlink_route_socket labeled ipa_custodia_t. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | James <james> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 31 | CC: | dwalsh, grepl.miroslav, lvrabec, plautrba, vmojzis, zpytela |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:a290be5fed2b4a48029e330cf275c58ed5e6b36bc4d01487b872695500600655;VARIANT_ID=server; | ||
Fixed In Version: | selinux-policy-3.14.4-47.fc31 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-02-09 01:31:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
James
2020-01-31 21:53:48 UTC
Hi James, Thank you for reporting the issue. Please help us with isolating the issue answering the following questions: - Have you made any changes to your configuration? - Have you noticed if it started to happen with the freeipa package update? - Did it happen at some particular circumstance, like time or action? - Are there any other clear steps to reproduce this issue? - Apart from the denials, did you observe any drawback in functionality? - Did it happen together with bz#1797100? (In reply to Zdenek Pytela from comment #1) > Hi James, > > Thank you for reporting the issue. Please help us with isolating the issue > answering the following questions: > > - Have you made any changes to your configuration? > - Have you noticed if it started to happen with the freeipa package update? > - Did it happen at some particular circumstance, like time or action? > - Are there any other clear steps to reproduce this issue? > - Apart from the denials, did you observe any drawback in functionality? > - Did it happen together with bz#1797100? This FreeIPA installation has been going for a while probably dates back a few years now. I think these SELinux denials started around the upgrade from F30 to F31; I can't remember what change in freeipa that was, I'll have to dig deeper into the logs. Following that system upgrade, FreeIPA restarted with no apparent loss of functionality hence I didn't do an autorelabel. (In the past things like the web interface have fallen over after upgrade requiring a relabel, but not this time.) The denial happens whenever the machines restarts. Persists after a forced autorelabel. Current version: freeipa-server-4.8.4-2.fc31.x86_64 I think it did start with bz#1797100. I wish I could provide more detailed info than this; as mentioned this hasn't caused any apparent loss of functionality so I just left it, but I thought it best to report this anyway. James, Thank you for your reply. There does not seem to be any issue with allowing this particular permissions, I was just curious if it happens right after installation or rather with some particular configuration change, or if it is a result of updating ipa or a library it uses which could possibly help with other issues like this. I've submitted a PR to address the issue: https://github.com/fedora-selinux/selinux-policy-contrib/pull/199 commit b1751347f4af99de8c88630e2f8d0a352d7f5937 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Zdenek Pytela <zpytela> Date: Wed Feb 5 10:21:27 2020 +0100 Allow ipa_custodia_t create and use netlink_route_socket sockets. Resolves: rhbz#1797102 FEDORA-2020-07bb9bdfaa has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-07bb9bdfaa selinux-policy-3.14.4-47.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-07bb9bdfaa selinux-policy-3.14.4-47.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report. |