Bug 1825812

Summary: AVC avc: denied { dac_override } for comm="ods-enforcerd
Product: [Fedora] Fedora Reporter: Christian Heimes <cheimes>
Component: opendnssecAssignee: Paul Wouters <pwouters>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 32CC: abokovoy, puiterwijk, pwouters
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: opendnssec-2.1.6-5.fc32 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-25 02:25:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christian Heimes 2020-04-20 10:25:41 UTC 
Description of problem:
FreeIPA with DNSSEC support is failing to install on a F32 machine. It looks like the problem is caused by an AVC in ods-enforcerd. The ODS enforcer daemon starts as root but root has no permission to read/write files in /var/opendnssec and /run/opendnssec. The files are owned by ods:ods and most directories are not accessible by other users.

Version-Release number of selected component (if applicable):
opendnssec-2.1.6-4.fc32.x86_64
freeipa-server-4.8.6-1.fc32.x86_64
selinux-policy-3.14.5-32.fc32.noarch


How reproducible:
always

Steps to Reproduce:
1. ipa-server-install
2. ipa-dns-install --dnssec-master --auto-reverse --auto-forwarders -U


Actual results:
DNS server installation is failing while ods-enforcerd is started:

  [7/8]: starting OpenDNSSEC enforcer", "  [error] CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'restart', 'ods-enforcerd.service'] returned non-zero exit status 1: 'Job for ods-enforcerd.service failed because the control process exited with error code.

  ods-enforcerd[27230]: Could not connect to database or database not set up properly.

ausearch is showing multiple AVCs:
  AVC avc:  denied  { dac_override } for  pid=27230 comm="ods-enforcerd" capability=1  scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:system_r:opendnssec_t:s0 tclass=capability permissive=0

Expected results:
no error

Additional info:
# ls -laZ /var/run/opendnssec/ /var/opendnssec/
/var/opendnssec/:
total 128
drwxrwx---.  6 root ods  system_u:object_r:opendnssec_var_t:s0       4096 Apr 20 06:16 .
drwxr-xr-x. 21 root root system_u:object_r:var_t:s0                  4096 Apr 20 06:05 ..
drwxrwx---.  2 ods  ods  system_u:object_r:opendnssec_var_t:s0       4096 Mar 10 22:53 enforcer
-rw-rw----.  1 ods  ods  unconfined_u:object_r:opendnssec_var_t:s0 102400 Apr 20 06:16 kasp.db
drwxrwx---.  2 ods  ods  system_u:object_r:opendnssec_var_t:s0       4096 Mar 10 22:53 signconf
drwxrwx---.  2 ods  ods  system_u:object_r:opendnssec_var_t:s0       4096 Mar 10 22:53 signed
drwxrwx---.  2 ods  ods  system_u:object_r:opendnssec_var_t:s0       4096 Apr 20 06:16 tmp

/var/run/opendnssec/:
total 0
drwxr-xr-x.  2 ods  ods  system_u:object_r:opendnssec_var_run_t:s0   60 Apr 20 06:16 .
drwxr-xr-x. 34 root root system_u:object_r:var_run_t:s0            1000 Apr 20 06:15 ..
srw-rw-rw-.  1 root root system_u:object_r:opendnssec_var_run_t:s0    0 Apr 20 06:16 engine.sock

# auditctl -w /etc/shadow -p w
# setenforce 0
# systemctl restart ods-enforcerd.service 
# ausearch -m AVC
...
time->Mon Apr 20 06:24:35 2020
type=PROCTITLE msg=audit(1587378275.081:2130): proctitle="/usr/sbin/ods-enforcerd"
type=PATH msg=audit(1587378275.081:2130): item=0 name="/var/opendnssec/kasp.db" inode=267656 dev=fc:01 mode=0100660 ouid=995 ogid=992 rdev=00:00 obj=unconfined_u:object_r:opendnssec_var_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1587378275.081:2130): cwd="/"
type=SYSCALL msg=audit(1587378275.081:2130): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=55774f9eebac a2=a0002 a3=0 items=1 ppid=1 pid=26878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ods-enforcerd" exe="/usr/sbin/ods-enforcerd" subj=system_u:system_r:opendnssec_t:s0 key=(null)
type=AVC msg=audit(1587378275.081:2130): avc:  denied  { dac_override } for  pid=26878 comm="ods-enforcerd" capability=1  scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:system_r:opendnssec_t:s0 tclass=capability permissive=1
----
time->Mon Apr 20 06:24:35 2020
type=PROCTITLE msg=audit(1587378275.083:2131): proctitle="/usr/sbin/ods-enforcerd"
type=PATH msg=audit(1587378275.083:2131): item=0 name="/var/opendnssec/enforcer" inode=267655 dev=fc:01 mode=040770 ouid=995 ogid=992 rdev=00:00 obj=system_u:object_r:opendnssec_var_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1587378275.083:2131): cwd="/"
type=SYSCALL msg=audit(1587378275.083:2131): arch=c000003e syscall=80 success=yes exit=0 a0=55774f9e74a0 a1=3e3 a2=3e0 a3=2000 items=1 ppid=1 pid=26878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ods-enforcerd" exe="/usr/sbin/ods-enforcerd" subj=system_u:system_r:opendnssec_t:s0 key=(null)
type=AVC msg=audit(1587378275.083:2131): avc:  denied  { dac_read_search } for  pid=26878 comm="ods-enforcerd" capability=2  scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:system_r:opendnssec_t:s0 tclass=capability permissive=1
Comment 1 Christian Heimes 2020-04-20 10:30:03 UTC 
This systemd drop-in seems to fix the startup problem for me:

# /etc/systemd/system/ods-enforcerd.service.d/override.conf
[Service]
User=ods
Group=ods
Comment 2 Fedora Update System 2020-04-20 14:01:31 UTC 
FEDORA-2020-fd0589ddff has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-fd0589ddff
Comment 3 Fedora Update System 2020-04-20 16:19:00 UTC 
FEDORA-2020-fd0589ddff has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-fd0589ddff`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-fd0589ddff

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 4 Fedora Update System 2020-04-25 02:25:31 UTC 
FEDORA-2020-fd0589ddff has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.