Bug 1870596

Summary: fowner capability required by certmonger
Product: Red Hat Enterprise Linux 8 Reporter: Rob Crittenden <rcritten>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.3CC: ksiddiqu, lvrabec, mmalik, pcech, plautrba, ssekidde
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: 8.3   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 01:57:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rob Crittenden 2020-08-20 13:04:24 UTC 
Description of problem:

As part of one of the IPA integration tests (test_epn) certmonger is used to obtain an X.509 certificate for postfix.

It is requested with:

# ipa-getcert request -f /etc/pki/tls/certs/postfix.pem \
-k /etc/pki/tls/private/postfix.key \
-K smtp/`hostname` \
-D `hostname` \
-O postfix \
-o postfix \
-M 0640 \
-m 0600 \
-w

After obtaining the certificate certmonger will change the owner and group to postfix and set the file mode of the certificate and key.

This is resulting in the following AVC:

type=AVC msg=audit(1597851527.271:2658): avc:  denied  { fowner } for  pid=33471 comm="certmonger" capability=3  scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=capability permissive=0

The chown is done first with: fchown(fd, uid, gid)

followed by the chmod: fchmod(fd, perms)

Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-52.el8
certmonger-0.79.7-15.el8

Steps to Reproduce:
1. ipa-server-install
2. kinit admin
3. ipa service-add smtp/`hostname
4. the above ipa-getcert command
Comment 1 Zdenek Pytela 2020-08-20 14:01:27 UTC 
Rob,

Could you please re-run the scenario with SELinux in permissive mode to gather all possible subsequent denials?

  # setenforce 0

Reading the description in bz#1870300, I see some tests fail. Do they cover some real scenario? Which RHEL release should the fix target?
Comment 24 errata-xmlrpc 2020-11-04 01:57:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4528