Bug 2215335

Summary: On a RHEL system, joined to an IDM domain as a client, enabling IMA causes a resource consumption loop, preventing login and eventually hanging the system
Product: Red Hat Enterprise Linux 9 Reporter: Nate <nlager>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: NEW --- QA Contact: ipa-qe
Severity: medium Docs Contact:
Priority: unspecified    
Version: 9.2CC: abokovoy, cheimes, plautrba, rcritten, tscherf, zpytela
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
sosreport before IMA was enabled none

Description Nate 2023-06-15 14:51:50 UTC 
Created attachment 1971011 [details]
sosreport before IMA was enabled

Description of problem:
I am attempting to enable IMA on a RHEL 9.2 system in my lab for some demo work I am doing.  My lab machines are RHEL 9, built from image builder (if that matters), with a very slim package set.  I do join them to my local IDM domain though.  I will attach sosreports if that helps. 

After I enable IMA following our docs
here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_monitoring_and_updating_the_kernel/enhancing-security-with-the-kernel-integrity-subsystem_managing-monitoring-and-updating-the-kernel#enabling-integrity-measurement-architecture-and-extended-verification-module_enhancing-security-with-the-kernel-integrity-subsystem
and rebooting (more details in steps to reproduce) my system will not let any user login, either locally at the console, or remotely with ssh, with either a local user, or an IDM user. The moment authentication is entered (wether it is correct or incorrect) the system begins to consume more memory and CPU until it eventually maxes its allotment and hangs. 

I collected the first sosreport (sosreport-att1-2023-06-15-btxywbf-beforeIMA.tar.xz) on my running system, joined to idm. then performed the steps listed in steps to reproduce, the system hangs after the reboot, so I had to then reboot again, remove the IMA kernel args, and get back to a running system.  I collected the second sosreport (sosreport-att1-2023-06-15-bfavyzn-afterIMA.tar.xz) after that, hoping that something may have been logged to help with diagnosis.

If I run the same procedure on a system that has NOT been joined to idm, IMA enables just fine, and the system is not adversely affected.

Version-Release number of selected component (if applicable):
RHEL 9.2 (also happens on 9.1) 
ipa-client-4.10.1-6.el9.x86_64
kernel-5.14.0-284.11.1.el9_2.x86_64

How reproducible:
every time.

Steps to Reproduce:
1. start with an idm joined rhel 9.2 system
2. Following our IMA docs linked above.  reboot, disabling secure boot in the process.
3. run: grubby --update-kernel=/boot/vmlinuz-$(uname -r) --args="ima_policy=appraise_tcb ima_appraise=fix evm=fix"
4. Reboot
5. Attempt to login to the system (either at the console, or remotely, using a local user or an idm user)

Actual results:
system hangs after entering the password (or accepting the ssh key if logging in with an ssh key remotely), monitoring the system resources (this is a VM) i can see the CPU utilization and memory consumption ratchet up until memory is at 100% and one core is completely utilized (in my case, its a 2-core VM, it gets to 50% utilized, making me believe a single core is completely utilized)

Expected results:
I expect that the login will work, and IMA will be enabled.

Additional info:
Comment 2 Rob Crittenden 2023-06-15 18:29:07 UTC 
The ssh logins a failing to look up authorized keys due to SELinux. Whether this is causing login to fail altogether I can't say. 

type=AVC msg=audit(1685994998.957:300): avc:  denied  { read } for  pid=1848 comm="sshd" name="authorized_keys" dev="dm-1" ino=8388739 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0

There are quite a few other SELinux issues reported, though probably unrelated to ipa-client/SSSD.

The SSSD log is reporting issues with DNS:
(0x0040): [RID#1] SRV query failed [11]: Could not contact DNS servers

along with a few other failed DNS queries for the IPA server.

Then it fails to connect to LDAP and the domain is marked offline.

Those are the things that jump out to me.
Comment 3 Alexander Bokovoy 2023-06-19 08:17:24 UTC 
authorized_keys file is under user and admin control. If SELinux labels are wrong, this is a configuration issue. None of IPA configuration code touches authorized_keys file, so this problem is not really IPA related.

I'd suggest to close this bug as NOTABUG. If after fixing wrong labels things still don't work, please start by opening a bugzilla with more specific details against SELinux first.
Comment 4 Nate 2023-06-20 13:45:44 UTC 
A few things of note. 
While I agree that authorized_keys having an improper selinux context could cause remote logins to fail, i would not expect them to fail in this way.

Selinux preventing the read of my authorized_keys would result in a permission denied, and then ssh would fall back to another mechanism.  If no other mechanism is enabled, it would simply reject my remote login.  

In this case, attempting a remote login triggers a  resource consumption loop, where you'll see memory get chunked away until the system is left at 100% memory consumption.  This does not feel like intended behavior. 

Also, my ssh keys are managed by IDM, not files on my filesystem.

Also, this exact same behavior is witnessed when logging in directly, with a username and password, at the vm's console, where no ssh keys are involved.
Comment 5 Petr Lautrbach 2023-08-10 15:10:15 UTC 
type=AVC msg=audit(1685991756.260:54): avc:  denied  { read } for  pid=1150 comm="sshd" name="authorized_keys" dev="dm-1" ino=8388737 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0

This AVC is from "sosreport before IMA was enabled" so it should not be related to IMA and it it looks like the system was already mis-labeled (in sense of SELinux) after "1. start with an idm joined rhel 9.2 system".

"unlabeled_t" usually means that the file was created on a system with disabled SELinux.

Are you able to reproduce this on a fresh system?
Are you able to reproduce it after you do the following steps before or after "1. start with an idm joined rhel 9.2 system"?

1. switch system to SELinux to permissive - set SELINUX=permissive in /etc/selinux/config
2. autorelabel the system - fixfiles -F onboot; reboot
3. switch the system back to enforcing - SELINUX=enforcing in /etc/config/selinux
4. reboot
Comment 6 Nate 2023-08-10 15:21:39 UTC 
(In reply to Petr Lautrbach from comment #5)
> type=AVC msg=audit(1685991756.260:54): avc:  denied  { read } for  pid=1150
> comm="sshd" name="authorized_keys" dev="dm-1" ino=8388737
> scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
> 
> This AVC is from "sosreport before IMA was enabled" so it should not be
> related to IMA and it it looks like the system was already mis-labeled (in
> sense of SELinux) after "1. start with an idm joined rhel 9.2 system".
> 
> "unlabeled_t" usually means that the file was created on a system with
> disabled SELinux.
> 
> Are you able to reproduce this on a fresh system?
> Are you able to reproduce it after you do the following steps before or
> after "1. start with an idm joined rhel 9.2 system"?
> 
> 1. switch system to SELinux to permissive - set SELINUX=permissive in
> /etc/selinux/config
> 2. autorelabel the system - fixfiles -F onboot; reboot
> 3. switch the system back to enforcing - SELINUX=enforcing in
> /etc/config/selinux
> 4. reboot

I can test. 

I will add that these were freshly built RHEL systems, in my lab.  They had no history, selinux has been enabled and enforcing since install.  If the filesystem is mislabeled, its either our install that did it, or the idm client install.
Comment 7 Alexander Bokovoy 2023-08-14 11:06:34 UTC 
The documentation for IMA enablement explicitly says:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_monitoring_and_updating_the_kernel/enhancing-security-with-the-kernel-integrity-subsystem_managing-monitoring-and-updating-the-kernel#enabling-integrity-measurement-architecture-and-extended-verification-module_enhancing-security-with-the-kernel-integrity-subsystem (step 12)
---------
Warning

Enabling IMA and EVM without relabeling the system might make the majority of the files on the system inaccessible. 
---------

Did you relabel the system before continuing? 

I think at this point we should wait for your answers. 

If IMA/EVM was enabled after IPA enrollment, IPA is not involved in the issues you are experiencing unless IPA installer triggers creation of files that have no labels in the resulting SELinux policy.

So I'll put NEEDINFO on the reporter due to this and comment 6.
Comment 8 Nate 2023-08-14 13:57:32 UTC 
One point of observation.  During the process of enabling IMA, this failure occurred at step 2.  The notice about relabeling isn't until after step 12.  I never got that far.  But, aside from that. I just tested out relabeling on my att1 system that I used to collect the earlier sosreports. I will attach more sosreports after this description. 

I booted att1 by removing the "ima_policy=appraise_tcb ima_appraise=fix evm=fix" kernel args at boot time by modifying the grub boot entry
After booting, I did the following:
Logged in using my idm credentials. 
sudo touch ./autorelabel
reboot

While booting, I again removed the "ima_policy=appraise_tcb ima_appraise=fix evm=fix" at boot time by modifying the grub boot entry (as I expect the system will still not boot properly if I do not)
I let the system boot, it performed its relabel, and rebooted on its own at the end. 

I again removed "ima_policy=appraise_tcb ima_appraise=fix evm=fix" during the boot process so I was sure I could login and create an sosreport before testing but after performing the relabel.  That sosreport will be attached as:

sosreport-att1-bz2215335-2023-08-14-rurvweh_after-relabel-before-ima.tar.xz

After collecting the sosreport, I rebooted, and let the system boot with the "ima_policy=appraise_tcb ima_appraise=fix evm=fix" in place. 
after the system completed its boot, I attempted to login via the console (as I was at the console anyway) and encountered the exact same memory exhaustion issue that I had before attempting the relabel. 

I then forced a reboot, as the system was unresponsive, again removed "ima_policy=appraise_tcb ima_appraise=fix evm=fix" at boot time by modifying the grub boot entry, and collected a second sosreport after the system booted. That sosreport will be attached as

sosreport-att1-bz2215335-2023-08-14-ryxiqyy_after-relabel-after-ima-failure.tar.xz



I have not yet performed the actions suggested in comment #5, so I will keep the needinfo flag until I have also tried that.
Comment 13 Nate 2023-08-14 16:18:45 UTC 
ok, I have completed the request in commend #5. Here is my log:

---
Made a new vm, we'll call him att4
These libvirt systems are bios by default, so after the initial build I virsh edit'ed it to uefi (with secure boot disabled as the ima enable instructions say to do). i mention this only in case it may matter somehow.

My vm's come from a base image, that comes from the insights image builder.  I built a brand new image for this test (Following my usual standards for disk layout, and some packages I like to have installed), in case there maybe was some imagebuilder bug contributing to the issue.

NOTE: Unless otherwise noted, I am attempting my "test" to see if I have the issue by logging into the vm console directly (not over ssh) with my idm user.  That user's name is 'gangrif'



joined new system to idm domain using the ansible-freeipa module. (this is how I do all of my lab systems that will be idm clients)

Installed all updates (nothing to install)

performed the pre-checks in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_monitoring_and_updating_the_kernel/enhancing-security-with-the-kernel-integrity-subsystem_managing-monitoring-and-updating-the-kernel#enabling-integrity-measurement-architecture-and-extended-verification-module_enhancing-security-with-the-kernel-integrity-subsystem

[root@att4 ~]# mount | grep securityfs
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
[root@att4 ~]# dmesg | grep -i -e EVM -e IMA
... snip ...
[    2.965538] systemd[1]: systemd 252-14.el9_2.3 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS -FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
[    3.690851] device-mapper: core: CONFIG_IMA_DISABLE_HTABLE is disabled. Duplicate IMA measurements will not be recorded in the IMA log.
[    7.210946] systemd[1]: systemd 252-14.el9_2.3 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS -FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)


Performed step 1 of the ima setup procedure:
grubby --update-kernel=/boot/vmlinuz-$(uname -r) --args="ima_policy=appraise_tcb ima_appraise=fix evm=fix"

Then rebooted as Step 2 instructs.


Experienced the same memory exhaustion issue.

Rebooted without ima (by removing the kernel command line args in grub at boot time)
set selinux=permissive (it was set to enforcing, as expected) in /etc/selinux/config

rebooted, with ima enabled, to see if simply leaving selinux permissive would change anything. I experienced the same memory exhaustion issue

Rebooted again, turning off ima at boot time in grub.
logged in, double-checked with getenforce, selinux is in fact permissive.

[gangrif@att4 ~]$ getenforce
Permissive

ran: fixfiles -F onboot, rebooted

It was not clear whether I should have the ima kernel args in place after reboot, so I assumed that we'd like the system to be in a known good state when doing so, so I rebooted, and again disabled ima during boot by removing the kernel args that enable it in grub. Let the sytem do its relabel. The system auto-reboots after the relable, I let it fully boot after that WITHOUT ima enabled.

After the system booted, I set selinux back to enforcing, and rebooted (this time leaving the ima kernel args in place).

after the reboot, i again logged in via the console with my idm user.

The problem persists.  cannot login with idm credentials, system goes into a memory consumption loop eventually consuming all free memory, and 1 entire cpu. This is according to the memory and cpu usage in the rhel web console's virtual machine manager, i have no way to see the actual usage within the vm, as it is un-usable

Rebooted, removing ima at boot time, and collected sosreport-att4-bz2215335-2023-08-14-ixzvvcl.tar.xz (which I will attach shortly)