Bug 1873211
| Summary: | fsetid capability required by certmonger | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Kaleem <ksiddiqu> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.3 | CC: | apeetham, lvrabec, mmalik, plautrba, prasun.gera, rcritten, ssekidde |
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged |
| Target Release: | 8.4 | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 14:57:54 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Kaleem
2020-08-27 15:55:39 UTC
Kaleem,
The path is not a part of the audit record; do you happen to know which file the fchmod syscall applies to?
The inode= part can be used together with dev= like
# find /path -inum INUM
>> owner/group/permission all seems to ok for both cert/key files.
Is this statement valid when the test runs in SELinux enforcing mode?
(In reply to Zdenek Pytela from comment #1) > Kaleem, > > The path is not a part of the audit record; do you happen to know which file > the fchmod syscall applies to? I think it applies to /etc/pki/tls/private/postfix.key > > The inode= part can be used together with dev= like > > # find /path -inum INUM > > >> owner/group/permission all seems to ok for both cert/key files. > Is this statement valid when the test runs in SELinux enforcing mode? yes its valid in enforcing mode but type=PATH is part of enforcing mode logs, it is seen in permissive mode only. [root@master ~]# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today ---- type=PROCTITLE msg=audit(09/03/2020 08:10:08.510:4606) : proctitle=/usr/sbin/certmonger -S -p /var/run/certmonger.pid -n -d2 type=SYSCALL msg=audit(09/03/2020 08:10:08.510:4606) : arch=x86_64 syscall=fchmod success=yes exit=0 a0=0x7f a1=0600 a2=0x557358322fe0 a3=0xf0000000 items=0 ppid=41035 pid=46264 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=certmonger exe=/usr/sbin/certmonger subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(09/03/2020 08:10:08.510:4606) : avc: denied { fsetid } for pid=46264 comm=certmonger capability=fsetid scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=capability permissive=0 ---- type=PROCTITLE msg=audit(09/03/2020 08:10:08.516:4607) : proctitle=/usr/sbin/certmonger -S -p /var/run/certmonger.pid -n -d2 type=SYSCALL msg=audit(09/03/2020 08:10:08.516:4607) : arch=x86_64 syscall=fchmod success=yes exit=0 a0=0x7f a1=0600 a2=0x0 a3=0xf0000000 items=0 ppid=41035 pid=46266 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=certmonger exe=/usr/sbin/certmonger subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(09/03/2020 08:10:08.516:4607) : avc: denied { fsetid } for pid=46266 comm=certmonger capability=fsetid scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=capability permissive=0 ---- type=PROCTITLE msg=audit(09/03/2020 08:10:09.888:4608) : proctitle=/usr/sbin/certmonger -S -p /var/run/certmonger.pid -n -d2 type=SYSCALL msg=audit(09/03/2020 08:10:09.888:4608) : arch=x86_64 syscall=fchmod success=yes exit=0 a0=0x87 a1=0600 a2=0x557358325fb0 a3=0xf0000000 items=0 ppid=41035 pid=46287 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=certmonger exe=/usr/sbin/certmonger subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(09/03/2020 08:10:09.888:4608) : avc: denied { fsetid } for pid=46287 comm=certmonger capability=fsetid scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=capability permissive=0 ---- type=PROCTITLE msg=audit(09/03/2020 08:10:09.888:4609) : proctitle=/usr/sbin/certmonger -S -p /var/run/certmonger.pid -n -d2 type=SYSCALL msg=audit(09/03/2020 08:10:09.888:4609) : arch=x86_64 syscall=fchmod success=yes exit=0 a0=0x7f a1=0640 a2=0x557358325fb0 a3=0xf0000000 items=0 ppid=41035 pid=46287 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=certmonger exe=/usr/sbin/certmonger subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(09/03/2020 08:10:09.888:4609) : avc: denied { fsetid } for pid=46287 comm=certmonger capability=fsetid scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=capability permissive=0 [root@master ~]# ls -la /etc/pki/tls/certs/postfix.pem -rw-r-----. 1 postfix postfix 1879 Sep 3 08:10 /etc/pki/tls/certs/postfix.pem [root@master ~]# ls -la /etc/pki/tls/private/postfix.key -rw-------. 1 postfix postfix 1708 Sep 3 08:10 /etc/pki/tls/private/postfix.key [root@master ~]# getenforce Enforcing [root@master ~]# Kaleem, The success=yes for syscall and denied fsetid avc with permissive=0 for the same audit event confuses me. Are there easy reproducing steps, or a test avilable to confirm and check some additional information? The way I produced it the first time was by installing an IPA server on a VM with 2GB+ of RAM: In RHEL 8: # dnf -y module enable idm:DL1 # dnf -y install ipa-server-dns postfix Once that's done: # ipa-server-install -a password -p password -r EXAMPLE.TEST -U --setup-dns --allow-zone-overlap --no-forwarders -N --auto-reverse --hostname ipa.example.test Once the installation is finished (~10 min): # kinit admin (the password is password) # ipa service-add smtp/`hostname` # ipa-getcert request -f /etc/pki/tls/certs/postfix.pem \ -k /etc/pki/tls/private/postfix.key \ -K smtp/`hostname` \ -D `hostname` \ -O postfix \ -o postfix \ -M 0640 \ -m 0600 \ -w This will cause certmonger to request a certificate from IPA and store the result in /etc/pki/tls/certs/postfix.pem and /etc/pki/tls/private/postfix.key and set the owner/group to postfix:postfix and the modes accordingly. *** Bug 1909482 has been marked as a duplicate of this bug. *** I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/534 Merged in rawhide:
commit 2573f4190dee921aeb32f982830ab3841fba518c (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date: Fri Jan 8 14:52:06 2021 +0100
Allow certmonger fsetid capability
Along with fowner, fsetid capability is required during ipa server
installation process when certificates for postfix are created and
ownership+permissions are adjusted.
Resolves: rhbz#1873211
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1639 |