Bug 1853263
| Summary: | ipa-selinux package missing | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Kaleem <ksiddiqu> |
| Component: | ipa | Assignee: | Thomas Woerner <twoerner> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 8.3 | CC: | abokovoy, cheimes, lvrabec, mmalik, plautrba, rcritten, ssekidde, sumenon, tscherf, zpytela |
| Target Milestone: | rc | Keywords: | TestBlocker, TestCaseProvided, Triaged |
| Target Release: | 8.3 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.8.7-5 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 02:51:20 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
[root@master ~]# ausearch -c 'ods-enforcer' --raw
type=AVC msg=audit(1593669649.090:2550): avc: denied { write } for pid=32221 comm="ods-enforcer" name="enforcer.sock" dev="tmpfs" ino=139006 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:opendnssec_var_run_t:s0 tclass=sock_file permissive=0
type=SYSCALL msg=audit(1593669649.090:2550): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7ffec9784380 a2=6e a3=21 items=0 ppid=32186 pid=32221 auid=4294967295 uid=989 gid=25 euid=989 suid=989 fsuid=989 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="ods-enforcer" exe="/usr/sbin/ods-enforcer" subj=system_u:system_r:ipa_dnskey_t:s0 key=(null)ARCH=x86_64 SYSCALL=connect AUID="unset" UID="ods" GID="named" EUID="ods" SUID="ods" FSUID="ods" EGID="named" SGID="named" FSGID="named"
type=PROCTITLE msg=audit(1593669649.090:2550): proctitle=2F7573722F7362696E2F6F64732D656E666F72636572007A6F6E656C697374006578706F7274
IPA's SELinux policy has
optional_policy(`
opendnssec_domtrans(ipa_dnskey_t)
opendnssec_manage_config(ipa_dnskey_t)
opendnssec_manage_var_files(ipa_dnskey_t)
opendnssec_filetrans_etc_content(ipa_dnskey_t)
opendnssec_stream_connect(ipa_dnskey_t)
')
Shouldn't opendnssec_stream_connect() allow ipa_dnskey_to connect and write to an Unix domain socket file?
On Fedora opendnssec_stream_connect() is defined as:
interface(`opendnssec_stream_connect',`
gen_require(`
type opendnssec_t, opendnssec_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, opendnssec_var_run_t, opendnssec_var_run_t, opendnssec_t)
')
define(`stream_connect_pattern',`
allow $1 $2:dir search_dir_perms;
allow $1 $3:sock_file write_sock_file_perms;
allow $1 $4:unix_stream_socket connectto;
')
define(`write_sock_file_perms',`{ getattr write open append }')
Christian,
The following line:
opendnssec_stream_connect(ipa_dnskey_t)
is not present in RHEL 8.3. It was added as a part of freeipa commit
commit e881e35783bb250bbdbc575cee4df2af6bc2eb88
Author: Christian Heimes <cheimes>
Date: Tue Apr 21 09:39:29 2020 +0200
Fix various OpenDNSSEC 2.1 issues
The commit is in ipa 4.8.7 release but there is no ipa-selinux package on RHEL 8.3. Further more the ipa-common package does not depend on SELinux policy package: Fedora: # rpm -qa freeipa-common freeipa-common-4.8.7-1.fc32.noarch # rpm -qR freeipa-common (freeipa-selinux if selinux-policy-targeted) rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(PayloadIsZstd) <= 5.4.18-1 rpmlib(RichDependencies) <= 4.12.0-1 RHEL 8.3: # rpm -qa ipa-common ipa-common-4.8.7-4.module+el8.3.0+7221+eedbd403.noarch # rpm -qR ipa-common rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(PayloadIsXz) <= 5.2-1 Thomas discovered that the check for with_selinux is wrong. I fixed the problem in upstream commit https://pagure.io/freeipa/c/5a3b5f3affe16efcbf93af5c1bfd95a0c7999e5b but the fix didn't get into RHEL 8 spec file. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:4670 |
Description of problem: Following avc denial seen during ipa dnssec-master install Jul 2 03:28:08 master systemd[1]: Started IPA key daemon. Jul 2 03:28:10 master ipa-dnskeysyncd[40704]: ipa-dnskeysyncd: INFO LDAP bind... Jul 2 03:28:10 master ipa-dnskeysyncd[40704]: ipa-dnskeysyncd: INFO Commencing sync process Jul 2 03:28:10 master ipa-dnskeysyncd[40704]: ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND Jul 2 03:28:10 master platform-python[40704]: detected unhandled Python exception in '/usr/libexec/ipa/ipa-dnskeysyncd' Jul 2 03:28:10 master ipa-dnskeysyncd[40704]: Traceback (most recent call last): Jul 2 03:28:10 master ipa-dnskeysyncd[40704]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 116, in <module> Jul 2 03:28:10 master ipa-dnskeysyncd[40704]: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): Jul 2 03:28:10 master ipa-dnskeysyncd[40704]: File "/usr/lib64/python3.6/site-packages/ldap/syncrepl.py", line 457, in syncrepl_poll Jul 2 03:28:10 master ipa-dnskeysyncd[40704]: self.syncrepl_refreshdone() Jul 2 03:28:10 master ipa-dnskeysyncd[40704]: File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/keysyncer.py", line 125, in syncrepl_refreshdone Jul 2 03:28:10 master ipa-dnskeysyncd[40704]: self.ods_sync() Jul 2 03:28:10 master ipa-dnskeysyncd[40704]: File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/keysyncer.py", line 183, in ods_sync Jul 2 03:28:10 master ipa-dnskeysyncd[40704]: self.odsmgr.sync() Jul 2 03:28:10 master ipa-dnskeysyncd[40704]: File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/odsmgr.py", line 221, in sync Jul 2 03:28:10 master ipa-dnskeysyncd[40704]: zl_ods = self.get_ods_zonelist() Jul 2 03:28:10 master ipa-dnskeysyncd[40704]: File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/odsmgr.py", line 143, in get_ods_zonelist Jul 2 03:28:10 master ipa-dnskeysyncd[40704]: stdout = self.ksmutil(['zonelist', 'export']) Jul 2 03:28:10 master ipa-dnskeysyncd[40704]: File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/odsmgr.py", line 139, in ksmutil Jul 2 03:28:10 master ipa-dnskeysyncd[40704]: result = tasks.run_ods_manager(params, capture_output=True) Jul 2 03:28:10 master ipa-dnskeysyncd[40704]: File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/_ods21.py", line 115, in run_ods_manager Jul 2 03:28:10 master ipa-dnskeysyncd[40704]: return ipautil.run(cmd, **kwargs) Jul 2 03:28:10 master ipa-dnskeysyncd[40704]: File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 598, in run Jul 2 03:28:10 master ipa-dnskeysyncd[40704]: p.returncode, arg_string, output_log, error_log Jul 2 03:28:10 master ipa-dnskeysyncd[40704]: ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/sbin/ods-enforcer', 'zonelist', 'export'] returned non-zero exit status 201: 'Unable to connect to engine. connect() failed: Permission denied ("/var/run/opendnssec/enforcer.sock")\n') Jul 2 03:28:10 master abrt-server[40710]: Deleting problem directory Python3-2020-07-02-03:28:10-40704 (dup of Python3-2020-07-02-02:00:49-32186) Jul 2 03:28:10 master systemd[1]: ipa-dnskeysyncd.service: Main process exited, code=exited, status=1/FAILURE Jul 2 03:28:10 master systemd[1]: ipa-dnskeysyncd.service: Failed with result 'exit-code'. Jul 2 03:28:10 master dbus-daemon[738]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.201' (uid=0 pid=700 comm="/usr/sbin/sedispatch " label="system_u:system_r:auditd_t:s0") (using servicehelper) Jul 2 03:28:10 master dbus-daemon[40721]: [system] Failed to reset fd limit before activating service: org.freedesktop.DBus.Error.AccessDenied: Failed to restore old fd limit: Operation not permitted Jul 2 03:28:10 master abrt-server[40710]: /bin/sh: reporter-systemd-journal: command not found Jul 2 03:28:11 master dbus-daemon[738]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Jul 2 03:28:11 master dbus-daemon[738]: [system] Activating service name='org.fedoraproject.SetroubleshootPrivileged' requested by ':1.858' (uid=995 pid=40721 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub" label="system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023") (using servicehelper) Jul 2 03:28:11 master dbus-daemon[40735]: [system] Failed to reset fd limit before activating service: org.freedesktop.DBus.Error.AccessDenied: Failed to restore old fd limit: Operation not permitted Jul 2 03:28:12 master dbus-daemon[738]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged' Jul 2 03:28:13 master setroubleshoot[40721]: SELinux is preventing /usr/sbin/ods-enforcer from write access on the sock_file enforcer.sock. For complete SELinux messages run: sealert -l 829e84f4-20aa-4110-a104-a9200879eb95 Jul 2 03:28:13 master platform-python[40721]: SELinux is preventing /usr/sbin/ods-enforcer from write access on the sock_file enforcer.sock.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that ods-enforcer should be allowed write access on the enforcer.sock sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ods-enforcer' --raw | audit2allow -M my-odsenforcer#012# semodule -X 300 -i my-odsenforcer.pp#012 #============= ipa_dnskey_t ============== allow ipa_dnskey_t opendnssec_var_run_t:sock_file write; Version-Release number of selected component (if applicable): [root@master ~]# rpm -q ipa-server selinux-policy ipa-server-4.8.7-4.module+el8.3.0+7221+eedbd403.x86_64 selinux-policy-3.14.3-48.el8.noarch [root@master ~]# How reproducible: Always Steps to Reproduce: 1. Install IPA with dns 2. Install 3. Actual results: Following avc denial seen Expected results: No avc denial Additional info: