Bug 429999

Summary: SELinux policies for all server components
Product: [Retired] freeIPA Reporter: Chandrasekar Kannan <ckannan>
Component: ipa-serverAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: high    
Version: 1.0CC: benl, mgregg, rcritten, ssorce, yzhang
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: freeipa-2.0.0-1.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-27 07:13:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 246164, 429034    
Attachments:
Description Flags
patch submitted by Dan Walsh
none
Final, merged patch of SELinux policies for ipa_kpasswd and ipa_webgui
none
fix for RHEL 5 contributed by Dan Walsh none

Description Chandrasekar Kannan 2008-01-24 06:28:24 UTC 
Ticket #44 (new enhancement)

Opened 3 months ago
SELinux policies for all server components
Reported by: 	kmacmill 	Assigned to: 	kmacmill
Priority: 	major 	Milestone: 	release-1
Component: 	ipa-server 	Version: 	
Keywords: 		Cc:
Comment 3 Rob Crittenden 2008-02-07 15:59:55 UTC 
Created attachment 294221 [details]
patch submitted by Dan Walsh

Karl submitted a patch to handle ipa-webgui and ipa-kpasswd before he left.

Dan reviewed it and changed a few things. Added auth_use_nsswitch() and removed
rules that are covered by this interface.

We have since made some changes, including rename ipa-* to ipa_*, adding
sessions, pid files and a few other things.
Comment 4 Rob Crittenden 2008-02-08 16:15:12 UTC 
Created attachment 294372 [details]
Final, merged patch of SELinux policies for ipa_kpasswd and ipa_webgui
Comment 5 Rob Crittenden 2008-02-20 15:01:22 UTC 
Committed in changeset 644
Comment 6 Rob Crittenden 2008-02-20 15:01:41 UTC 
Fails to compile on RHEL 5
Comment 7 Rob Crittenden 2008-02-20 17:54:09 UTC 
Created attachment 295432 [details]
fix for RHEL 5 contributed by Dan Walsh
Comment 8 Rob Crittenden 2008-02-20 17:54:41 UTC 
Committed in changeset 661
Comment 9 Simo Sorce 2008-03-04 19:46:05 UTC 
With SELinux Enforcing I get the following audit.log denial and ipa_webgui does
not start (latest QE packages):

type=AVC msg=audit(1204659871.334:213): avc:  denied  { search } for  pid=12765
comm="ipa_webgui" name="sbin" dev=dm-0 ino=1212418
scontext=root:system_r:ipa_webgui_t:s0 tcontext=system_u:object_r:sbin_t:s0
tclass=dir
type=SYSCALL msg=audit(1204659871.334:213): arch=c000003e syscall=2 success=no
exit=-13 a0=7fff3f473c41 a1=0 a2=1b6 a3=0 items=0 ppid=12764 pid=12765 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="ipa_webgui" exe="/usr/bin/python" subj=root:system_r:ipa_webgui_t:s0
key=(null)
Comment 10 Rob Crittenden 2008-03-04 20:34:55 UTC 
Pushed as changeset 707
Comment 11 Chandrasekar Kannan 2008-04-08 20:19:31 UTC 
we are running ok with selinux enabled. no avc's seen so far with today's build.

marking bug verified