Bug 702020

Summary: selinux denial for httpd when it tries to access pki-ca (on a remote machine)
Product: Red Hat Enterprise Linux 6 Reporter: Kashyap Chamarthy <kchamart>
Component: doc-Identity_Management_GuideAssignee: Deon Ballard <dlackey>
Status: CLOSED CURRENTRELEASE QA Contact: ecs-bugs
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.1CC: alee, ckannan, dlackey, dpal, dwalsh, jgalipea, jskeoch, kevinu, syeghiay
Target Milestone: rcKeywords: Documentation, Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-21 23:13:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 702988    

Description Kashyap Chamarthy 2011-05-04 14:47:06 UTC 
Description of problem:
selinux denial for httpd when it tries to access pki-ca (on a remote machine)

Version-Release number of selected component (if applicable):
mod_nss-1.0.8-12.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
0. Ensure SELinux is Enforcing
1. Configure mod_revocator, with CRL checking on

-------------
#cat /etc/httpd/conf.d/revocator.conf 
LoadModule rev_module modules/mod_rev.so
CRLEngine on
CRLAgeCheck off
CRLUpdateCritical off
CRLHelper /usr/bin/crlhelper
CRLFile http://cspki.lab.eng.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL;1;1
--------------
2. Restart httpd


Actual results:

Error log info with selinux in Enforcing and Permissive:
#######################################################################
[root@shark alias]# getenforce 
Enforcing
################################################
[root@shark alias]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
################################################
[root@shark alias]# tail /var/log/httpd/error_log
[Wed May 04 04:31:53 2011] [error] Error updating CRL http://cspki.lab.eng.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL no subject : Unable to connect to remote host
[Wed May 04 04:31:53 2011] [error] Unable to load Revocation module, NSS error -8187. CRL retrieval will be disabled.
[Wed May 04 04:31:53 2011] [error] Error updating CRL http://cspki.lab.eng.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL no subject : Unable to connect to remote host
[Wed May 04 04:31:53 2011] [error] Unable to load Revocation module, NSS error -8187. CRL retrieval will be disabled.
[Wed May 04 04:31:53 2011] [error] Error updating CRL http://cspki.lab.eng.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL no subject : Unable to connect to remote host
[Wed May 04 04:31:53 2011] [error] Unable to load Revocation module, NSS error -8187. CRL retrieval will be disabled.
[Wed May 04 04:31:53 2011] [error] Error updating CRL http://cspki.lab.eng.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL no subject : Unable to connect to remote host
[Wed May 04 04:31:53 2011] [error] Unable to load Revocation module, NSS error -8187. CRL retrieval will be disabled.
[Wed May 04 04:31:53 2011] [error] Error updating CRL http://cspki.lab.eng.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL no subject : Unable to connect to remote host
[Wed May 04 04:31:53 2011] [error] Unable to load Revocation module, NSS error -8187. CRL retrieval will be disabled.
[root@shark alias]# cat /var/log/audit/audit.log | audit2allow -R

require {
	type httpd_t;
}

#============= httpd_t ==============
corenet_tcp_connect_pki_ca_port(httpd_t)

#######################################################################
[root@shark alias]# setenforce 0
################################################
[root@shark alias]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
################################################
[root@shark alias]# tail /var/log/httpd/error_log
[Wed May 04 04:33:10 2011] [warn] mod_wsgi: Runtime using Python/2.6.6.
[Wed May 04 04:33:10 2011] [notice] Apache/2.2.15 (Unix) DAV/2 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations
[Wed May 04 04:33:10 2011] [notice] Revocation subsystem initialized 2
[Wed May 04 04:33:10 2011] [notice] Revocation subsystem initialized 2
[Wed May 04 04:33:10 2011] [notice] Revocation subsystem initialized 2
[Wed May 04 04:33:10 2011] [notice] Revocation subsystem initialized 2
[Wed May 04 04:33:10 2011] [notice] Revocation subsystem initialized 2
[Wed May 04 04:33:10 2011] [notice] Revocation subsystem initialized 2
[Wed May 04 04:33:10 2011] [notice] Revocation subsystem initialized 2
[Wed May 04 04:33:10 2011] [notice] Revocation subsystem initialized 2
[root@shark alias]# 
#######################################################################
Comment 2 Ade Lee 2011-05-04 16:21:26 UTC 
So the workaround is to add the relevant selinux rule.

You can do this following the instructions at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/96/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html

Two ways:

audit2allow -a -M revoker
semodule -i revoker


Or, you can set a selinux boolean:

setsebool  httpd_can_network_connect on
Comment 3 Ade Lee 2011-05-04 16:22:28 UTC 
actually that should be:

semodule -i revoker.pp
Comment 4 RHEL Program Management 2011-05-05 06:00:21 UTC 
Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 6 Rob Crittenden 2011-05-09 14:38:36 UTC 
I think this is a doc issue with the range of fixes being what Ade said. 9180 is a non-standard port which is why SELinux is complaining.
Comment 8 Ade Lee 2011-05-10 19:45:10 UTC 
This isn't really a bug per se, so much as a doc issue.  You are trying to access a specific non-standard port that is protected by selinux and need to add a rule to allow this access.  This is, I think, a fairly standard selinux operation?

An example of when this happens, is when Kashyp was doing whatever testing he was doing with mod_revocator.

Consquence: Access is denied to the port (9180).

Workaround:  See comment #2 above. Two ways are provided to allow the relevant access.

Result: Access is provided.  No restrictions.
Comment 11 Ade Lee 2011-06-08 13:40:45 UTC 
I checked on a 6.1 system with neither ipa or dogtag installed.

There are several ports (including 9180) that appear to be defined as pki_ca_t.
This means that the ports are defined within core selinux policy.

As an aside, I confirmed with Kashyap that he used a 6.1 machine with only mod_revocator installed.

This means that this is a core selinux policy bug.  Either we need to remove the port designation from core selinux policy, or we need to add the relevant rules to allow mod_revocator to work.

On a dogtag system, this is not an issue because the selinux policy generated eby dogtag on the fly creates rules for the required access.
Comment 12 Dmitri Pal 2011-06-08 15:06:24 UTC 
Dan, please update the policy.
Comment 13 Daniel Walsh 2011-06-10 03:01:05 UTC 
This is not an SELinux bug.  If you want to install your package then you either need to tell apache it can connect to any port.   Or you need to add a custom policy.  We are not going to ship policy that lets every apache server connect to the pki_ca_port.

corenet_tcp_connect_pki_ca_port(httpd_t)
Comment 14 RHEL Program Management 2011-06-10 03:14:56 UTC 
Development Management has reviewed and declined this request.  You may appeal
this decision by reopening this request.
Comment 15 Dmitri Pal 2011-06-10 13:36:03 UTC 
Then it is an IPA bug.
Comment 16 Dmitri Pal 2011-06-10 13:40:27 UTC 
https://fedorahosted.org/freeipa/ticket/1316
Comment 17 Rob Crittenden 2011-06-10 15:22:53 UTC 
This is not an IPA bug.

We do not configure mod_revocator by default therefore we do not allow the port.

As Ade said, this is a documentation issue. Anyone wanting to use the IPA CA for OCSP or CRL retrieval will need to LOCALLY allow Apache to communicate on that port as an HTTP client.
Comment 18 Dmitri Pal 2011-06-10 16:30:25 UTC 
Locally meaning 

"If you want to use IPA CA for OCSP or CRL retrieval, configure your client software to able to access the remote service. If the client is for example an Apache application leveraging mod_revocator the Selinux policies on the client should be adjusted to allow Apache access to the IPA server. By default SELinux policies would prevent such communication."

Is this the correct statement?
Comment 19 Rob Crittenden 2011-06-10 17:47:10 UTC 
It is though I wonder if the word client is going to confuse people. They may not consider that mod_revocator in this case is the client. I tried to mock up something better but wasn't able to in any sort of concise way.
Comment 20 Deon Ballard 2011-08-16 19:17:42 UTC 
Re-assigning to me as a doc bug.
Comment 21 Deon Ballard 2011-11-15 02:37:49 UTC 
Setting to ON_QA for review for 6.2.

This is a bulk change, so I'm not providing links at this time. If you need help finding the info, ping sunny-dee on #docs or email me.

Thanks!
Comment 23 Deon Ballard 2012-06-21 23:13:40 UTC 
Closing.