Bug 2265378

Summary: Allow "map" operation for "krb5kdc_t" processes on "krb5kdc_principal_t" files
Product: [Fedora] Fedora Reporter: Julien Rische <jrische>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-03-13 10:19:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2265339    

Description Julien Rische 2024-02-21 17:53:58 UTC
We are switching from Berkeley DB to LMDB as default database format for MIT Kerberos. However, after initializing or migrating the database, the krb5kdc daemon is unable to start:

  krb5kdc[1679](info): shutting down
  krb5kdc[1784](Error): LMDB environment open failure (path: /var/kerberos/krb5kdc/principal.mdb): Permission denied - while initializing database for realm EXAMPLE.COM

This failure does not occur when running in permissive mode.

The file contexts seem to be configured properly:

  # ls -lZ /var/kerberos/krb5kdc/
  total 104
  -rw-------. 1 root root system_u:object_r:krb5kdc_conf_t:s0             41 Feb 21 12:30 kadm5.acl
  -rw-------. 1 root root system_u:object_r:krb5kdc_conf_t:s0            793 Feb 21 12:20 kdc.conf
  -rw-------. 1 root root unconfined_u:object_r:krb5kdc_principal_t:s0 45056 Feb 21 12:32 principal.lockout.mdb
  -rw-------. 1 root root unconfined_u:object_r:krb5kdc_principal_t:s0  8192 Feb 21 12:44 principal.lockout.mdb-lock
  -rw-------. 1 root root unconfined_u:object_r:krb5kdc_principal_t:s0 45056 Feb 21 12:32 principal.mdb
  -rw-------. 1 root root unconfined_u:object_r:krb5kdc_principal_t:s0  8192 Feb 21 12:44 principal.mdb-lock

In permissive mode, the only SELinux rule violation reported is:

  # ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR | grep -E '(krb5kdc_t|kadmind_t)'
  type=AVC msg=audit(1708536086.456:512): avc:  denied  { map } for  pid=1677 comm="krb5kdc" path="/var/kerberos/krb5kdc/principal.mdb-lock" dev="vda2" ino=262184 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=unconfined_u:object_r:krb5kdc_principal_t:s0 tclass=file permissive=1

Here is the list of rules for krb5kdc_t to krb5kdc_principal_t:

  # sesearch --allow --source krb5kdc_t --target krb5kdc_principal_t
  allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
  allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
  allow domain file_type:file map; [ domain_can_mmap_files ]:True
  allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
  allow krb5kdc_t file_type:filesystem getattr;
  allow krb5kdc_t krb5kdc_principal_t:file { append getattr ioctl lock open read write };

Is this issue occurring because the "map" operation is not allowed by the "allow krb5kdc_t krb5kdc_principal_t:file" rule?

Reproducible: Always

Comment 1 Zdenek Pytela 2024-02-21 18:41:35 UTC
Correct, map is a separate permission.

Comment 2 Julien Rische 2024-03-12 16:22:35 UTC
Hello Zdenek,

Do you know when we could expect this change to be released? An approximative date would help us for planning.

Thank you in advance!

Comment 3 Zdenek Pytela 2024-03-12 17:13:07 UTC
The build already exists since 2 weeks ago, but got stuck somewhere in the testing process.
I'll take a look.

Comment 4 Zdenek Pytela 2024-03-13 12:53:59 UTC
The build should be available since today morning, sorry for the delay.

Comment 5 Julien Rische 2024-03-14 17:18:41 UTC
I tested update FEDORA-2024-323decc1d9[1], which added the "map" permission indeed, but it also removed the "lock" one:

  # sesearch --allow --source krb5kdc_t --target krb5kdc_principal_t
  allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
  allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
  allow domain file_type:file map; [ domain_can_mmap_files ]:True
  allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
  allow krb5kdc_t file_type:filesystem getattr;
  allow krb5kdc_t krb5kdc_principal_t:file { getattr ioctl map open read write };

The list changed from { append getattr ioctl lock open read write } to { getattr ioctl map open read write }. Would it be possible to keep all the permissions from the initial list, and add the "map" one?


[1] https://bodhi.fedoraproject.org/updates/FEDORA-2024-323decc1d9

Comment 6 Julien Rische 2024-03-14 17:32:57 UTC
The missing "lock" permission aside, I noticed there are other cases where daemons create files with invalid context, and some other permissions seem to be missing. I will create another bugzilla for these issues.

Comment 7 Zdenek Pytela 2024-03-14 17:55:30 UTC
(In reply to Julien Rische from comment #5)
> I tested update FEDORA-2024-323decc1d9[1], which added the "map" permission
> indeed, but it also removed the "lock" one:
> 
>   # sesearch --allow --source krb5kdc_t --target krb5kdc_principal_t
>   allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
>   allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
>   allow domain file_type:file map; [ domain_can_mmap_files ]:True
>   allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
>   allow krb5kdc_t file_type:filesystem getattr;
>   allow krb5kdc_t krb5kdc_principal_t:file { getattr ioctl map open read
> write };
> 
> The list changed from { append getattr ioctl lock open read write } to {
> getattr ioctl map open read write }. Would it be possible to keep all the
> permissions from the initial list, and add the "map" one?
Certainly. There seems to be a general problem in policy macros, I replaced
rw_file_perms with mmap_rw_file_perms, not noticing that the latter has unexpectedly different content:

172 define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
173 define(`rw_file_perms',`{ open rw_inherited_file_perms }')
174 define(`mmap_rw_inherited_file_perms',`{ getattr map read write ioctl }')
175 define(`mmap_rw_file_perms',`{ getattr open map read write ioctl }')

Thanks for spotting this. On the other hand, note it is easy to miss an update to a bz which is in late stage (say POST and later), so it's better to create a new bz.

Comment 8 Julien Rische 2024-03-15 13:36:40 UTC
Just mentioning I gave -1 karma to the FEDORA-2024-323decc1d9[1] update because I tested it with the current MIT krb5 version (which is using Berkeley DB), and it is breaking it too:

  # ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR | grep -E '(krb5kdc_t|kadmind_t)'
  type=AVC msg=audit(1710509353.206:154): avc:  denied  { lock } for  pid=857 comm="krb5kdc" path="/var/kerberos/krb5kdc/principal.kadm5.lock" dev="vda2" ino=262657 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=unconfined_u:object_r:krb5kdc_principal_t:s0 tclass=file permissive=0

The "lock" permission is required for this DB backend too.

[1] https://bodhi.fedoraproject.org/updates/FEDORA-2024-323decc1d9