Bug 737516
| Summary: | ipa-server files with incorrect selinux context | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Karel Srot <ksrot> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.2 | CC: | benl, dpal, dwalsh, grajaiya, jgalipea, mgrepl, mkosek |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-2.1.1-2.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Do not document
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-06 18:31:12 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 743047 | ||
Upstream ticket: https://fedorahosted.org/freeipa/ticket/1779 Can you provide the output of: # semodule -l |grep ipa Unfortunately I have already returned the server. On another one I can see just /usr/sbin/ipa_kpasswd, other two files are missing. The context is wrong, anyway. # ls -Z /usr/sbin/ipa_kpasswd -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/sbin/ipa_kpasswd # semodule -l |grep ipa ipa_dogtag 1.4 ipa_httpd 1.2 ipa_kpasswd 1.0 What is strange is that this should be covered by ipa_kpasswd.fc: /usr/sbin/ipa_kpasswd -- gen_context(system_u:object_r:ipa_kpasswd_exec_t,s0) The module is inserted in %post with: semodule -s targeted -i /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp /usr/share/selinux/targeted/ipa_dogtag.pp I can't reproduce this, what version of selinux-policy do you have installed? tested on RHEL6.2 alpha with selinux-policy-3.7.19-109.el6 same result with latest selinux-policy-3.7.19-110.el6.noarch # yum -y install ipa-server &> /dev/null # ls -Z /usr/sbin/ipa_kpasswd -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/sbin/ipa_kpasswd # rpm -q selinux-policy ipa-server selinux-policy-3.7.19-110.el6.noarch ipa-server-2.1.1-1.el6.x86_64 Now that dependent updated packages in RHEL 6.2, seeing this, it is the same or different ? ...
Info: Searching AVC errors produced since 1316094012.45 (Thu Sep 15 09:40:12 2011)
Searching logs...
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 09/15/2011 09:40:12 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.Tz3Xv8 2>&1'
----
time->Thu Sep 15 09:40:18 2011
type=SYSCALL msg=audit(1316094018.032:245135): arch=c000003e syscall=2 success=no exit=-13 a0=f36b20 a1=2c1 a2=180 a3=65726373662f7274 items=0 ppid=26807 pid=31281 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5_child" exe="/usr/libexec/sssd/krb5_child" subj=unconfined_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1316094018.032:245135): avc: denied { write } for pid=31281 comm="krb5_child" name="krb5rcache" dev=dm-0 ino=1704819 scontext=unconfined_u:system_r:sssd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=dir
----
time->Thu Sep 15 09:41:23 2011
type=SYSCALL msg=audit(1316094083.291:245140): arch=c000003e syscall=2 success=no exit=-13 a0=1a69860 a1=2c1 a2=180 a3=65726373662f7274 items=0 ppid=26807 pid=31812 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5_child" exe="/usr/libexec/sssd/krb5_child" subj=unconfined_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1316094083.291:245140): avc: denied { write } for pid=31812 comm="krb5_child" name="krb5rcache" dev=dm-0 ino=1704819 scontext=unconfined_u:system_r:sssd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=dir
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.Tz3Xv8 | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.w77E0j 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
Running 'rpm -q selinux-policy || true'
selinux-policy-3.7.19-110.el6.noarch
Miroslav we need to change kerberos_manage_host_rcache To use + manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) Needed in RHEL6, F14-16. Added. Thanks!! Jenny, those are from sssd but glad they are taken care of. I've reproduced this. It is the strangest thing. A restorecon sets the proper context but I'm not sure why it isn't getting set in the rpm post. # ls -lZ /usr/sbin/ipa_kpasswd -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/sbin/ipa_kpasswd # restorecon /usr/sbin/ipa_kpasswd # ls -lZ /usr/sbin/ipa_kpasswd -rwxr-xr-x. root root system_u:object_r:ipa_kpasswd_exec_t:s0 /usr/sbin/ipa_kpasswd This is happening in Fedora 15 as well. I guess we missed it because we aren't seeing any AVCs as a result.
Dan, Karl MacMillan set up pre/post install scripts for our selinux modules many moons ago. Are these still valid?
%pre server-selinux
if [ -s /etc/selinux/config ]; then
. %{_sysconfdir}/selinux/config
FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
if [ "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT} ]; then \
cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}
fi
fi
%post server-selinux
semodule -s targeted -i /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp /usr/share/selinux/targeted/ipa_dogtag.pp
. %{_sysconfdir}/selinux/config
FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
selinuxenabled
if [ $? == 0 -a "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT}.%{name} ]; then
fixfiles -C ${FILE_CONTEXT}.%{name} restore
rm -f ${FILE_CONTEXT}.%name
fi
Yes those look correct. So the fixfiles is not working? I think I figured out what is wrong.
Here I am installing the bits on F-15 from a git build:
# rpm -Uvh dist/rpms/*
Preparing... ########################################### [100%]
1:freeipa-python ########################################### [ 20%]
2:freeipa-client ########################################### [ 40%]
3:freeipa-admintools ########################################### [ 60%]
4:freeipa-server-selinux ########################################### [ 80%]
5:freeipa-server ########################################### [100%]
Our postinstall script makes a copy of file_contents to know what to fix. If the selinux package is getting installing before the server package then anything defined in server isn't getting the right context.
We currently have this in the server subpackage:
Requires(post): %{name}-server-selinux = %{version}-%{release}
I removed this and added this in the server-selinux subpackage:
Requires(post): %{name}-server = %{version}-%{release}
That seems to have done the trick, freeipa-server-selinux installed last.
Not sure what changed that broke this, or when.
Fixed upstream: master: 80a4db80bab167ef805056a44138d2449e0fc465 ipa-2-1: 5a778d4def66a338e574d4ca3825e3a247032f3a
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Do not document
# yum install ipa-server <snip> Installing : mod_wsgi-3.2-1.el6.x86_64 118/120 Installing : ipa-server-2.1.3-8.el6.x86_64 119/120 Installing : ipa-server-selinux-2.1.3-8.el6.x86_64 120/120 </snip> [root@hp-dl580g5-01 ~]# ls -lZ /usr/sbin/ipa_kpasswd -rwxr-xr-x. root root system_u:object_r:ipa_kpasswd_exec_t:s0 /usr/sbin/ipa_kpasswd [root@hp-dl580g5-01 ~]# No more ipa issues found in sectool scan. # rpm -qi ipa-server | head Name : ipa-server Relocations: (not relocatable) Version : 2.1.3 Vendor: Red Hat, Inc. Release : 8.el6 Build Date: Tue 01 Nov 2011 05:51:27 PM EDT Install Date: Mon 07 Nov 2011 12:21:33 AM EST Build Host: x86-012.build.bos.redhat.com Group : System Environment/Base Source RPM: ipa-2.1.3-8.el6.src.rpm Size : 3381421 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://www.freeipa.org/ Summary : The IPA authentication server [root@hp-dl580g5-01 ~]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html |
Description of problem: from sectool scan after ipa-server installation: Warning: Mislabeled directory '/var/cache/ipa/sessions' found. Labeled as 'system_u:object_r:var_t:s0', should be 'system_u:object_r:httpd_sys_content_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled directory '/var/cache/ipa/kpasswd' found. Labeled as 'system_u:object_r:var_t:s0', should be 'system_u:object_r:ipa_kpasswd_ccache_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/usr/sbin/ipa_kpasswd' found. Labeled as 'system_u:object_r:bin_t:s0', should be 'system_u:object_r:ipa_kpasswd_exec_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Version-Release number of selected component (if applicable): Installed: ipa-server.i686 0:2.1.1-1.el6 How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: