Bug 1831732

Summary:	AVC avc: denied { dac_override } for comm="ods-enforcerd
Product:	Red Hat Enterprise Linux 8	Reporter:	Alexander Bokovoy <abokovoy>
Component:	opendnssec	Assignee:	François Cami <fcami>
Status:	CLOSED ERRATA	QA Contact:	ipa-qe <ipa-qe>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	8.3	CC:	ssidhaye, twoerner
Target Milestone:	rc	Flags:	pm-rhel: mirror+
Target Release:	8.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	opendnssec-2.1.6-2	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-11-04 02:50:41 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Alexander Bokovoy 2020-05-05 14:29:34 UTC

This bug was initially created as a copy of Bug #1825812

I am copying this bug because: 



Description of problem:
FreeIPA with DNSSEC support is failing to install on a F32 machine. It looks like the problem is caused by an AVC in ods-enforcerd. The ODS enforcer daemon starts as root but root has no permission to read/write files in /var/opendnssec and /run/opendnssec. The files are owned by ods:ods and most directories are not accessible by other users.

Version-Release number of selected component (if applicable):
opendnssec-2.1.6-4.fc32.x86_64
freeipa-server-4.8.6-1.fc32.x86_64
selinux-policy-3.14.5-32.fc32.noarch


How reproducible:
always

Steps to Reproduce:
1. ipa-server-install
2. ipa-dns-install --dnssec-master --auto-reverse --auto-forwarders -U


Actual results:
DNS server installation is failing while ods-enforcerd is started:

  [7/8]: starting OpenDNSSEC enforcer", "  [error] CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'restart', 'ods-enforcerd.service'] returned non-zero exit status 1: 'Job for ods-enforcerd.service failed because the control process exited with error code.

  ods-enforcerd[27230]: Could not connect to database or database not set up properly.

ausearch is showing multiple AVCs:
  AVC avc:  denied  { dac_override } for  pid=27230 comm="ods-enforcerd" capability=1  scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:system_r:opendnssec_t:s0 tclass=capability permissive=0

Expected results:
no error

Additional info:
# ls -laZ /var/run/opendnssec/ /var/opendnssec/
/var/opendnssec/:
total 128
drwxrwx---.  6 root ods  system_u:object_r:opendnssec_var_t:s0       4096 Apr 20 06:16 .
drwxr-xr-x. 21 root root system_u:object_r:var_t:s0                  4096 Apr 20 06:05 ..
drwxrwx---.  2 ods  ods  system_u:object_r:opendnssec_var_t:s0       4096 Mar 10 22:53 enforcer
-rw-rw----.  1 ods  ods  unconfined_u:object_r:opendnssec_var_t:s0 102400 Apr 20 06:16 kasp.db
drwxrwx---.  2 ods  ods  system_u:object_r:opendnssec_var_t:s0       4096 Mar 10 22:53 signconf
drwxrwx---.  2 ods  ods  system_u:object_r:opendnssec_var_t:s0       4096 Mar 10 22:53 signed
drwxrwx---.  2 ods  ods  system_u:object_r:opendnssec_var_t:s0       4096 Apr 20 06:16 tmp

/var/run/opendnssec/:
total 0
drwxr-xr-x.  2 ods  ods  system_u:object_r:opendnssec_var_run_t:s0   60 Apr 20 06:16 .
drwxr-xr-x. 34 root root system_u:object_r:var_run_t:s0            1000 Apr 20 06:15 ..
srw-rw-rw-.  1 root root system_u:object_r:opendnssec_var_run_t:s0    0 Apr 20 06:16 engine.sock

# auditctl -w /etc/shadow -p w
# setenforce 0
# systemctl restart ods-enforcerd.service 
# ausearch -m AVC
...
time->Mon Apr 20 06:24:35 2020
type=PROCTITLE msg=audit(1587378275.081:2130): proctitle="/usr/sbin/ods-enforcerd"
type=PATH msg=audit(1587378275.081:2130): item=0 name="/var/opendnssec/kasp.db" inode=267656 dev=fc:01 mode=0100660 ouid=995 ogid=992 rdev=00:00 obj=unconfined_u:object_r:opendnssec_var_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1587378275.081:2130): cwd="/"
type=SYSCALL msg=audit(1587378275.081:2130): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=55774f9eebac a2=a0002 a3=0 items=1 ppid=1 pid=26878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ods-enforcerd" exe="/usr/sbin/ods-enforcerd" subj=system_u:system_r:opendnssec_t:s0 key=(null)
type=AVC msg=audit(1587378275.081:2130): avc:  denied  { dac_override } for  pid=26878 comm="ods-enforcerd" capability=1  scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:system_r:opendnssec_t:s0 tclass=capability permissive=1
----
time->Mon Apr 20 06:24:35 2020
type=PROCTITLE msg=audit(1587378275.083:2131): proctitle="/usr/sbin/ods-enforcerd"
type=PATH msg=audit(1587378275.083:2131): item=0 name="/var/opendnssec/enforcer" inode=267655 dev=fc:01 mode=040770 ouid=995 ogid=992 rdev=00:00 obj=system_u:object_r:opendnssec_var_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1587378275.083:2131): cwd="/"
type=SYSCALL msg=audit(1587378275.083:2131): arch=c000003e syscall=80 success=yes exit=0 a0=55774f9e74a0 a1=3e3 a2=3e0 a3=2000 items=1 ppid=1 pid=26878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ods-enforcerd" exe="/usr/sbin/ods-enforcerd" subj=system_u:system_r:opendnssec_t:s0 key=(null)
type=AVC msg=audit(1587378275.083:2131): avc:  denied  { dac_read_search } for  pid=26878 comm="ods-enforcerd" capability=2  scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:system_r:opendnssec_t:s0 tclass=capability permissive=1

Comment 1 Alexander Bokovoy 2020-05-05 14:31:46 UTC

Test criteria: there should be no DAC override AVCs after installing RHEL IdM with DNSSEC master enabled.

Comment 5 Sumedh Sidhaye 2020-08-17 09:43:54 UTC

Build used for verification

ipa-client-4.8.7-8.module+el8.3.0+7513+a375844a.x86_64
ipa-client-common-4.8.7-8.module+el8.3.0+7513+a375844a.noarch
ipa-common-4.8.7-8.module+el8.3.0+7513+a375844a.noarch
ipa-healthcheck-core-0.4-4.module+el8.2.0+5489+95477d9f.noarch
ipa-selinux-4.8.7-8.module+el8.3.0+7513+a375844a.noarch
ipa-server-4.8.7-8.module+el8.3.0+7513+a375844a.x86_64
ipa-server-common-4.8.7-8.module+el8.3.0+7513+a375844a.noarch
ipa-server-dns-4.8.7-8.module+el8.3.0+7513+a375844a.noarch
ipa-server-trust-ad-4.8.7-8.module+el8.3.0+7513+a375844a.x86_64
opendnssec-2.1.6-2.module+el8.3.0+6580+328a3362.x86_64


============================= test session starts ==============================
platform linux -- Python 3.6.8, pytest-3.10.1, py-1.9.0, pluggy-0.13.1 -- /usr/libexec/platform-python
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-232.el8.x86_64-x86_64-with-redhat-8.3-Ootpa', 'Packages': {'pytest': '3.10.1', 'py': '1.9.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.10.0', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.5'}}
rootdir: /usr/lib/python3.6/site-packages/ipatests, inifile:
plugins: metadata-1.10.0, html-1.22.1, multihost-3.0, sourceorder-0.5
collecting ... collected 11 items

test_integration/test_dnssec.py::TestInstallDNSSECLast::test_install_dnssec_master PASSED [  9%]
test_integration/test_dnssec.py::TestInstallDNSSECLast::test_if_zone_is_signed_master PASSED [ 18%]
test_integration/test_dnssec.py::TestInstallDNSSECLast::test_if_zone_is_signed_replica PASSED [ 27%]
test_integration/test_dnssec.py::TestInstallDNSSECLast::test_disable_reenable_signing_master PASSED [ 36%]
test_integration/test_dnssec.py::TestInstallDNSSECLast::test_disable_reenable_signing_replica PASSED [ 45%]
test_integration/test_dnssec.py::TestInstallDNSSECFirst::test_sign_root_zone PASSED [ 54%]
test_integration/test_dnssec.py::TestInstallDNSSECFirst::test_chain_of_trust xfail [ 63%]
test_integration/test_dnssec.py::TestInstallDNSSECFirst::test_resolvconf PASSED [ 72%]
test_integration/test_dnssec.py::TestMigrateDNSSECMaster::test_migrate_dnssec_master PASSED [ 81%]
test_integration/test_dnssec.py::TestInstallNoDnssecValidation::test_install_withDnssecValidation PASSED [ 90%]
test_integration/test_dnssec.py::TestInstallNoDnssecValidation::test_install_noDnssecValidation PASSED [100%]

---------------- generated xml file: /home/cloud-user/junit.xml ----------------
----------- generated html file: file:///home/cloud-user/report.html -----------
=========================== short test summary info ============================
XFAIL test_integration/test_dnssec.py::TestInstallDNSSECFirst::()::test_chain_of_trust
  dnspython issue 343
=================== 10 passed, 1 xfailed in 4303.77 seconds ====================


No dac_override AVCs were seen on master and replicas

[root@master ~]# systemctl  show ods-enforcerd.service  -p User
User=ods
[root@master ~]# ausearch -m AVC | grep 'dac_override'
[root@master ~]# 

[root@replica1 ~]# ausearch -m AVC | grep 'dac_override'
[root@replica1 ~]# 
[root@replica1 ~]# 
[root@replica1 ~]# systemctl  show ods-enforcerd.service  -p User
User=ods
[root@replica1 ~]#

[root@replica2 ~]# ausearch -m AVC | grep 'dac_override'
[root@replica2 ~]#
[root@replica2 ~]# systemctl  show ods-enforcerd.service  -p User
User=ods
[root@replica2 ~]# 


Based on above observations marking Bugzilla verified

Comment 9 errata-xmlrpc 2020-11-04 02:50:41 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4670