Bug 2231732
| Summary: | SELinux is preventing ipa-server-guar from 'search' accesses on the directory net. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | James <james> | ||||||
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 38 | CC: | dwalsh, james, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | abrt_hash:b527f2c07b3cc3cc61c6975dcabd83feba12d783c864ab5730434d8705a5116e;VARIANT_ID=server; | ||||||||
| Fixed In Version: | selinux-policy-38.32-1.fc38 | Doc Type: | If docs needed, set a value | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2024-03-15 01:49:51 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 1983200 [details]
File: description
Created attachment 1983201 [details]
File: os_info
James, Can you switch the system to permissive mode and gather all denials? setenforce 0 <reproduce> ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today setenforce 1 Apologies for taking many months to respond.
I don't know exactly what triggers these denials, they seem to happen on boot so I set permissive mode then restarted. The machine is a FreeIPA server selinux-policy-targeted-39.3-1.fc39.noarch which has been re-labelled.
ausearch output, with timestamps since the prior boot:
type=AVC msg=audit(13/01/24 21:19:33.612:137) : avc: denied { search } for pid=1491 comm=ipa-server-guar name=net dev="proc" ino=2405 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=1
----
type=AVC msg=audit(13/01/24 21:19:33.612:138) : avc: denied { read } for pid=1491 comm=ipa-server-guar name=disable_ipv6 dev="proc" ino=12111 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(13/01/24 21:19:33.612:139) : avc: denied { open } for pid=1491 comm=ipa-server-guar path=/proc/sys/net/ipv6/conf/all/disable_ipv6 dev="proc" ino=12111 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(13/01/24 21:19:33.612:140) : avc: denied { getattr } for pid=1491 comm=ipa-server-guar path=/proc/sys/net/ipv6/conf/all/disable_ipv6 dev="proc" ino=12111 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(13/01/24 21:19:34.455:145) : avc: denied { read } for pid=1553 comm=dogtag-ipa-ca-r name=disable_ipv6 dev="proc" ino=12111 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(13/01/24 21:19:34.455:146) : avc: denied { open } for pid=1553 comm=dogtag-ipa-ca-r path=/proc/sys/net/ipv6/conf/all/disable_ipv6 dev="proc" ino=12111 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(13/01/24 21:19:34.456:147) : avc: denied { getattr } for pid=1553 comm=dogtag-ipa-ca-r path=/proc/sys/net/ipv6/conf/all/disable_ipv6 dev="proc" ino=12111 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(13/01/24 21:19:34.553:148) : avc: denied { search } for pid=1521 comm=dogtag-ipa-ca-r name=net dev="proc" ino=2405 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=1
----
type=AVC msg=audit(13/01/24 21:19:34.964:155) : avc: denied { read } for pid=1559 comm=dogtag-ipa-ca-r name=disable_ipv6 dev="proc" ino=12111 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(13/01/24 21:19:34.969:156) : avc: denied { open } for pid=1559 comm=dogtag-ipa-ca-r path=/proc/sys/net/ipv6/conf/all/disable_ipv6 dev="proc" ino=12111 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(13/01/24 21:19:34.969:157) : avc: denied { getattr } for pid=1559 comm=dogtag-ipa-ca-r path=/proc/sys/net/ipv6/conf/all/disable_ipv6 dev="proc" ino=12111 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(13/01/24 21:19:35.016:158) : avc: denied { search } for pid=1553 comm=dogtag-ipa-ca-r name=net dev="proc" ino=2405 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=1
----
type=AVC msg=audit(13/01/24 21:19:35.336:160) : avc: denied { search } for pid=1556 comm=dogtag-ipa-ca-r name=net dev="proc" ino=2405 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=1
----
type=AVC msg=audit(13/01/24 21:19:35.336:161) : avc: denied { read } for pid=1556 comm=dogtag-ipa-ca-r name=disable_ipv6 dev="proc" ino=12111 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(13/01/24 21:19:35.336:162) : avc: denied { open } for pid=1556 comm=dogtag-ipa-ca-r path=/proc/sys/net/ipv6/conf/all/disable_ipv6 dev="proc" ino=12111 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(13/01/24 21:19:35.336:163) : avc: denied { getattr } for pid=1556 comm=dogtag-ipa-ca-r path=/proc/sys/net/ipv6/conf/all/disable_ipv6 dev="proc" ino=12111 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(13/01/24 21:19:39.139:173) : avc: denied { name_bind } for pid=2120 comm=rpcbind src=62779 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=1
----
type=USER_AVC msg=audit(13/01/24 21:19:43.652:188) : pid=1107 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:avahi_t:s0 tclass=dbus permissive=1 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?'
----
type=USER_AVC msg=audit(13/01/24 21:19:43.654:189) : pid=1107 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dbus permissive=1 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?'
(Or is this a FreeIPA bug?)
Thank you. There are 3 buckets of denials: 1. certmonger - will be added to the policy 2. avahi dbus - requires to turn the httpd_dbus_avahi boolean on 3. a bug in rpcbind, already reported FEDORA-2024-d1d8ba7222 (selinux-policy-38.32-1.fc38) has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2024-d1d8ba7222 FEDORA-2024-d1d8ba7222 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-d1d8ba7222` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-d1d8ba7222 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2024-d1d8ba7222 (selinux-policy-38.32-1.fc38) has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: SELinux is preventing ipa-server-guar from 'search' accesses on the directory net. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ipa-server-guar should be allowed search access on the net directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ipa-server-guar' --raw | audit2allow -M my-ipaserverguar # semodule -X 300 -i my-ipaserverguar.pp Additional Information: Source Context system_u:system_r:certmonger_t:s0 Target Context system_u:object_r:sysctl_net_t:s0 Target Objects net [ dir ] Source ipa-server-guar Source Path ipa-server-guar Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.24-1.fc38.noarch Local Policy RPM selinux-policy-targeted-38.24-1.fc38.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.4.9-200.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Aug 8 21:21:11 UTC 2023 x86_64 Alert Count 1476 First Seen 2023-07-13 20:09:00 BST Last Seen 2023-08-12 13:56:24 BST Local ID f3e3f090-022f-45d2-9c11-2205ae4d34dc Raw Audit Messages type=AVC msg=audit(1691844984.141:222): avc: denied { search } for pid=1513 comm="dogtag-ipa-ca-r" name="net" dev="proc" ino=2356 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 Hash: ipa-server-guar,certmonger_t,sysctl_net_t,dir,search Version-Release number of selected component: selinux-policy-targeted-38.24-1.fc38.noarch Additional info: reporter: libreport-2.17.11 reason: SELinux is preventing ipa-server-guar from 'search' accesses on the directory net. package: selinux-policy-targeted-38.24-1.fc38.noarch component: selinux-policy hashmarkername: setroubleshoot type: libreport kernel: 6.4.9-200.fc38.x86_64 component: selinux-policy