Bug 2115691
| Summary: | selinux-policy AVC during ipa trust-add using selinux-policy-36.13-3.fc36 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | anuja <amore> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 36 | CC: | dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, pkoncity, vmojzis, zpytela |
| Target Milestone: | --- | Keywords: | Reopened, Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-36.15-1.fc36 selinux-policy-36.16-1.fc36 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-10-12 13:01:39 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2114902 | ||
It seems dontaudit rules were in place, but full auditing was not enabled.
This one looks like the only relevant denial:
type=AVC msg=audit(08/04/2022 05:41:05.693:4233) : avc: denied { search } for pid=23438 comm=samba-dcerpcd name=pki dev="vda5" ino=5610 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0
Could you try the following local module:
# cat local_winbindrpcd_krb.cil
(allow winbind_rpcd_t krb5_keytab_t (dir (getattr open search)))
(allow winbind_rpcd_t krb5_keytab_t (dir (getattr open read ioctl lock)))
# semodule -i local_winbindrpcd_krb.cil
and run the test again?
I actually meant this particular one:
----
type=AVC msg=audit(08/04/2022 05:41:05.785:4234) : avc: denied { search } for pid=23438 comm=samba-dcerpcd name=krb5 dev="vda5" ino=12519 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
List of all denials run through audit2allow:
#============= NetworkManager_dispatcher_console_t ==============
allow NetworkManager_dispatcher_console_t default_context_t:dir search;
#!!!! This avc is allowed in the current policy
allow NetworkManager_dispatcher_console_t etc_t:dir remove_name;
#!!!! This avc is allowed in the current policy
allow NetworkManager_dispatcher_console_t etc_t:file { setattr unlink };
allow NetworkManager_dispatcher_console_t file_context_t:dir search;
allow NetworkManager_dispatcher_console_t file_context_t:file { getattr open read };
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow NetworkManager_dispatcher_console_t file_context_t:file map;
allow NetworkManager_dispatcher_console_t security_t:dir read;
allow NetworkManager_dispatcher_console_t security_t:file write;
allow NetworkManager_dispatcher_console_t security_t:security compute_create;
allow NetworkManager_dispatcher_console_t self:process setfscreate;
#============= httpd_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow httpd_t self:capability net_admin;
#============= krb5kdc_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow krb5kdc_t selinux_config_t:file read;
#============= oddjob_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow oddjob_t ipa_helper_t:process { rlimitinh siginh };
#============= smbd_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow smbd_t winbind_rpcd_t:process { noatsecure rlimitinh siginh };
#============= winbind_rpcd_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow winbind_rpcd_t cert_t:dir search;
allow winbind_rpcd_t krb5_keytab_t:dir search;
FEDORA-2022-096f7730be has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-096f7730be FEDORA-2022-096f7730be has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-096f7730be` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-096f7730be See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-096f7730be has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report. I backported all relevant commits so that the policy is synchronized with rawhide: https://github.com/fedora-selinux/selinux-policy/pull/1409 FEDORA-2022-0c59a07653 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-0c59a07653 FEDORA-2022-0c59a07653 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-0c59a07653` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-0c59a07653 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. Using : selinux-policy-36.16-1.fc36.noarch Tested with latest build its working as expected. FEDORA-2022-0c59a07653 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: selinux-policy-36.13-3.fc36.noarch denies { sendto } to command smbcontrol. The consequence is that running ipa trust-add leaves the user with a kerberos credential cache containing a ticket for cifs/<server> instead of the original one for admin. Version-Release number of selected component (if applicable): Fedora 36 freeipa-server-4.11.0.dev-0.fc36.x86_64 selinux-policy-36.13-3.fc36.noarch How reproducible: Systematic Steps to Reproduce: 1. install IPA server with ipa-server-install -n ipa.test -r IPA.TEST -p Secret.123 -a Secret.123 --domain-level=1 -U --setup-dns --auto-forwarders --auto-reverse 2. configure as trust domain controller with ipa-adtrust-install -U --enable-compat --netbios-name IPA -a Secret.123 --add-sids 3. obtain an admin ticket with kinit admin 4. add a trust with AD: ipa trust-add --type ad ad.test --admin Administrator --password 5. check the credential cache, it contains a ticket for cifs/master.ipa.test instead of admin This is reproducible in our nightly tests, see for instance PR #6394 [1] with the test test_sssd [2]. The AVCs can be seen in the audit.log [3]. [1] https://github.com/freeipa/freeipa/pull/6394 [2] http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/9e38f40a-13d2-11ed-8d3d-fa163e04db38 [3] http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/9e38f40a-13d2-11ed-8d3d-fa163e04db38/test_integration-test_sssd.py-TestSSSDWithAdTrust-install/master.ipa.test/var/log/audit/audit.log.gz