Bug 612800
Summary: | SELinux is preventing /usr/sbin/ipa_kpasswd "name_bind" access . | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | David O'Brien <daobrien> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 12 | CC: | dpal, dwalsh, mgrepl, rcritten, rvokal, ssorce |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:225c966558684237da671a8fcd9942e9c600c4511296971436f5e398238af789 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-10-14 06:46:59 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David O'Brien
2010-07-09 04:29:37 UTC
Strange. I can't reproduce this on my x86_64 system and we've never seen this AVC before. It is basically saying it can't bind to the kpasswd TCP port because it lacks permission. In theory this should be affecting all versions of IPA but it isn't. Rob this is something that should be allowed. We added this port definition in F13 to allow the login programs to connect to the password changing port, rather then all of kadmind ports. I think you need to remove the ability for ipa_kpasswd_t to bind to kadmind ports and allow it to bind to kerberos_password_port. If you are shipping the same package for all packages you could add a gen_requires block, requiring kerberos_password_port_t optional_policy(` gen_require(` type kerberos_password_port_t; ') corenet_tcp_bind_kerberos_password_port(ipa_kpasswd_t) ') Which should work on all platforms. This fails to build on F-12: Compiling targeted ipa_kpasswd module ipa_kpasswd.te:62: Warning: corenet_non_ipsec_sendrecv(ipa_kpasswd_t) has been deprecated, use corenet_all_recvfrom_unlabeled() instead. /usr/bin/checkmodule: loading policy configuration from tmp/ipa_kpasswd.tmp ipa_kpasswd.te":73:ERROR 'syntax error' at token 'corenet_tcp_bind_kerberos_password_port' on line 13849: #line 73 corenet_tcp_bind_kerberos_password_port(ipa_kpasswd_t) /usr/bin/checkmodule: error(s) encountered while parsing configuration make[1]: *** [tmp/ipa_kpasswd.mod] Error 1 Just add optional_policy(` gen_require(` type kerberos_password_port_t; ') corenet_tcp_bind_kerberos_password_port(ipa_kpasswd_t) ') Dan, that's the exact code I pasted into the ipa_kpasswd.te file. It is failing to build. selinux-policy-targeted-3.6.32-118.fc12.noarch selinux-policy-3.6.32-118.fc12.noarch Ah ok, You build on F12. If you build on F13 will it install on F12? I haven't tried but that isn't our model. We will build this in koji for each platform. Miroslav can you back port the kerberos_password_port_t; code into F12 policy Miroslav, Dan, was this backported to F12 ? Otherwise is there a way to make some SELinux rules conditional so that we can have an "if (< F13) {... else ...}" logic ? Still see if on F13. Summary: SELinux is preventing /usr/sbin/ipa_kpasswd "name_bind" access . Detailed Description: SELinux denied access requested by ipa_kpasswd. It is not expected that this access is required by ipa_kpasswd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:ipa_kpasswd_t:s0 Target Context system_u:object_r:kerberos_password_port_t:s0 Target Objects None [ udp_socket ] Source ipa_kpasswd Source Path /usr/sbin/ipa_kpasswd Port 464 Host lenovo.home Source RPM Packages ipa-server-1.91-0.2010100820gitdccb386.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-62.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name lenovo.home Platform Linux lenovo.home 2.6.34.7-56.fc13.i686 #1 SMP Wed Sep 15 03:33:58 UTC 2010 i686 i686 Alert Count 20 First Seen Mon 11 Oct 2010 02:17:56 PM EDT Last Seen Mon 11 Oct 2010 04:15:49 PM EDT Local ID 1ae5c07f-dc76-49dc-afe2-6ed00d272a1f Line Numbers Raw Audit Messages node=lenovo.home type=AVC msg=audit(1286828149.415:24260): avc: denied { name_bind } for pid=4802 comm="ipa_kpasswd" src=464 scontext=unconfined_u:system_r:ipa_kpasswd_t:s0 tcontext=system_u:object_r:kerberos_password_port_t:s0 tclass=udp_socket node=lenovo.home type=SYSCALL msg=audit(1286828149.415:24260): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfd70040 a2=8461078 a3=804d761 items=0 ppid=1 pid=4802 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ipa_kpasswd" exe="/usr/sbin/ipa_kpasswd" subj=unconfined_u:system_r:ipa_kpasswd_t:s0 key=(null) The problem isn't F13, it's F12. We have a single SELinux policy and since this variable doesn't exist in F12 we can't fix it for F13+ (unless as Simo has asked we can do a conditional somehow). (In reply to comment #12) > The problem isn't F13, it's F12. We have a single SELinux policy and since this > variable doesn't exist in F12 we can't fix it for F13+ (unless as Simo has > asked we can do a conditional somehow). # rpm -q selinux-policy selinux-policy-3.6.32-123.fc12.noarch # semanage port -l | grep kerberos_password_port_t kerberos_password_port_t tcp 464 kerberos_password_port_t udp 464 # cat local.te policy_module(local, 1.0) type ipa_kpasswd_t; domain_type(ipa_kpasswd_t) optional_policy(` gen_require(` type kerberos_password_port_t; ') corenet_tcp_bind_kerberos_password_port(ipa_kpasswd_t) ') The local.pp policy module works. So it should work also for you. (In reply to comment #12) > The problem isn't F13, it's F12. We have a single SELinux policy and since this > variable doesn't exist in F12 we can't fix it for F13+ (unless as Simo has > asked we can do a conditional somehow). # rpm -q selinux-policy selinux-policy-3.6.32-123.fc12.noarch # semanage port -l | grep kerberos_password_port_t kerberos_password_port_t tcp 464 kerberos_password_port_t udp 464 # cat local.te policy_module(local, 1.0) type ipa_kpasswd_t; domain_type(ipa_kpasswd_t) optional_policy(` gen_require(` type kerberos_password_port_t; ') corenet_tcp_bind_kerberos_password_port(ipa_kpasswd_t) ') The local.pp policy module works. So it should work also for you. |