Bug 1859213

Summary: AVC denial during ipa-adtrust-install --add-agents
Product: Red Hat Enterprise Linux 8 Reporter: Sergey Orlov <sorlov>
Component: ipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.3CC: abokovoy, ksiddiqu, lmiksik, lvrabec, mmalik, omosnace, plautrba, rcritten, ssekidde, tscherf
Target Milestone: rcKeywords: Regression, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.8.7-8.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:51:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sergey Orlov 2020-07-21 13:26:23 UTC 
The bug is created as a copy of https://bugzilla.redhat.com/show_bug.cgi?id=1820298 (versions and AVC messages updated):

Description of problem:
When configuring an AD trust agent, the command ipa-adtrust-install --add-agents is unable to configure the additional agent.

Version-Release number of selected component (if applicable):
ipa-server-4.8.7-4.module+el8.3.0+7221+eedbd403
selinux-policy-3.14.3-48.el8

How reproducible:
Always

Steps to Reproduce:
1. install ipa master with ipa-server-install
2. install ipa replica with ipa-replica-install
3. run ipa-adtrust-install --add-sids --a password --enable-compat --add-agents
When the command prompts for configuration of additional masters, answer yes

Actual results:
The command fails to configure the replica as a trust agent and prints:
WARNING: you MUST manually enable the Schema compatibility Plugin and 

WARNING: you MUST restart (both "ipactl restart" and "systemctl restart sssd")
the following IPA masters in order to activate them to serve information about
users from trusted forests:

<replica-fqdn>

Expected results:
The command should succeed.


Additional info:
ipa-adtrust-install launches a remote command on the replica though IPA XMLRPC. This command is using oddjob to execute a CLI but when SE linux is in enforcing mode, this mechanism fails with the following AVC:

time->Tue Jul 21 09:21:25 2020
type=PROCTITLE msg=audit(1595337685.098:640): proctitle=2F7573722F7362696E2F6F64646A6F6264002D6E002D70002F7661722F72756E2F6F64646A6F62642E706964002D7400333030
type=SYSCALL msg=audit(1595337685.098:640): arch=c000003e syscall=59 success=no exit=-13 a0=56160271e4d0 a1=561602720e20 a2=56160272ea90 a3=0 items=0 ppid=9514 pid=10077 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="oddjobd" exe="/usr/sbin/oddjobd" subj=system_u:system_r:oddjob_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1595337685.098:640): avc:  denied  { transition } for  pid=10077 comm="oddjobd" path="/usr/libexec/ipa/oddjob/org.freeipa.server.trust-enable-agent" dev="vda1" ino=1741562 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0

On Fedora 31+, freeipa delivers his own selinux policy and the following line was added in selinux/ipa.fc to fix the issue:

/usr/libexec/ipa/oddjob/org\.freeipa\.server\.trust-enable-agent  --  gen_context(system_u:object_r:ipa_helper_exec_t,s0)
Comment 19 errata-xmlrpc 2020-11-04 02:51:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4670