Bug 680510

Summary: Certmonger: SELinux AVCs reading krb5 keytab file
Product: [Fedora] Fedora Reporter: Jenny Severance <jgalipea>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 14CC: benl, dpal, dwalsh, mgrepl, nalin, rcritten
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.9.7-37.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-22 18:52:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jenny Severance 2011-02-25 18:33:14 UTC 
Description of problem:
# cat /var/log/audit/audit.log | audit2allow


#============= certmonger_t ==============
allow certmonger_t krb5_keytab_t:file read;



type=AVC msg=audit(1298398923.421:39879): avc:  denied  { read } for  pid=26593 comm="ipa-submit" name="krb5.keytab" dev=dm-0 ino=146467 scontext=unconfined_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file
type=SYSCALL msg=audit(1298398923.421:39879): arch=40000003 syscall=5 success=no exit=-13 a0=8bf8518 a1=0 a2=1b6 a3=541e38 items=0 ppid=26572 pid=26593 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="ipa-submit" exe="/usr/libexec/certmonger/ipa-submit" subj=unconfined_u:system_r:certmonger_t:s0 key=(null)





Version-Release number of selected component (if applicable):
freeipa-client-2.0-0.20110222T1504Zgit744eb8e.fc14.i686
certmonger-0.30-4.fc14.i686

How reproducible:


Steps to Reproduce:
1. install ipa client
2. check the audit log
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Nalin Dahyabhai 2011-02-25 19:03:43 UTC 
ipa-submit wants to authenticate as the client system when it submits the
signing request to the IPA server's XML-RPC service, and it uses the keys in
the keytab to obtain the creds that it uses to do so.  I think this should be
allowed by policy.  (We could lock it down further if we built policy for each
of the CA-type-specific helpers, but I guess we're not there yet.)
Comment 2 Daniel Walsh 2011-02-25 20:42:16 UTC 
One of the AVC's is being cause by coolkey package not including the /var/cache/coolkey directory within its payload.

If you simply add this directory, rpm will label the directory correctly, auth_cache_t, which certmonger_t can currently read and write.
Comment 3 Daniel Walsh 2011-02-25 20:43:34 UTC 
oops wrong bug.



Miroslav please back port cermonger.* to F13, F14, RHEL6.
Comment 4 Miroslav Grepl 2011-03-07 23:59:16 UTC 
Fixed in selinux-policy-3.9.7-33.fc14
Comment 5 Rob Crittenden 2011-03-15 18:54:09 UTC 
Can an update be created so this can land in F-14?
Comment 6 Fedora Update System 2011-03-18 15:07:23 UTC 
selinux-policy-3.9.7-34.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-34.fc14
Comment 7 Fedora Update System 2011-03-21 08:45:21 UTC 
selinux-policy-3.9.7-37.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-37.fc14
Comment 8 Fedora Update System 2011-03-22 18:50:57 UTC 
selinux-policy-3.9.7-37.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.