Bug 783592
| Summary: | need SELinux policy for ipa_memcached service | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Dmitri Pal <dpal> | |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 6.3 | CC: | dwalsh, jdennis, jgalipea, mkosek, mmalik, rcritten, yzhang | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.7.19-137.el6 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 784549 798492 (view as bug list) | Environment: | ||
| Last Closed: | 2012-06-20 12:30:38 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 784549, 798492 | |||
|
Description
Dmitri Pal
2012-01-20 23:33:05 UTC
I added fixes to Fedora which will backport. The better solution would be have this socket in /var/run/memcached directory. In permissive mode I also see these AVCs (in addition to the reported create error).
type=AVC msg=audit(1327444951.719:40211): avc: denied { connectto } for pid=26475 comm="httpd" path="/var/run/ipa_memcached/ipa_memcached" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=AVC msg=audit(1327445682.171:40216): avc: denied { getattr } for pid=26664 comm="memcached" path="/var/run/ipa_memcached/ipa_memcached" dev=tmpfs ino=4186808 scontext=system_u:system_r:memcached_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1327445682.181:40218): avc: denied { unlink } for pid=26664 comm="memcached" name="ipa_memcached" dev=tmpfs ino=4186808 scontext=system_u:system_r:memcached_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
what does # rpm -qf /var/run/ipa_memcached It is provided by our freeipa-server package (upstream only) I should add that we haven't committed this upstream yet, the patch is still under review, but the SELinux issues are unrelated to acceptance. Rob, could you try to test the latest selinux-policy from brew? Is there a reason for using this directory rather then /var/run/memcached? re comment #9, Yes, there is a reason we use a different directory. We do not want to share the memcached instance with the system default. Our ipa_memcached instance contains sensitive (authentication) information in it. We want to be able to lock down this instance so that only IPA can access it. We have two avenues for locking down our exclusive instance. 1) standard UNIX permissions on the memcached UNIX socket. During our initial testing that is the apache user because our server processes run as the apache user. We currently do not have an ipa system user id, but we are contemplating adding that and running our processes as that user. 2) Anything SELinux policy can do to further protect this instance. Note, the /var/run/ipa_memcached directory is currently being used to store 3 types of files 1) The memcached UNIX socket. 2) The memcached pid file 3) Kerberos ccache files associated with sessions stored in the memcached instance. Well the best thing to do from an SELinux point of view would be tun the ipa_memcached with a different context then the system memcached, or state that you should not run a memcached on a system running IPA. But I guess you are going to be wanting to run multiple httpd servers also? John, it might be better that we discuss this outside a bugzilla... When Dan and I last spoke a couple of weeks ago he said was going to add any necessary policy to allow Apache to create/read/write file into the /var/run/ipa_memcached directory as well as allowing the socket creation. Then these policy changes were also going to be added into all current Fedora releases as well as RHEL6. We haven't heard anything since then and we were wondering what the status of the policy updates is? When might we see them? They have gone into rawhide, although does not look like they have been back ported yet. Miroslav? It was backported
--
optional_policy(`
memcached_stream_connect(httpd_t)
+ tunable_policy(`httpd_manage_ipa',`
+ memcached_manage_pid_files(httpd_t)
+ ')
')
--
but I need to do a new build.
I am going to do a new build today. Fixed in selinux-policy-3.7.19-137.el6 This is still not working in selinux-policy-3.7.19-137.el6, the apache process cannot create/write/read a file in /var/run/ipa_memcached. We get this AVC:
type=AVC msg=audit(1330004551.948:144): avc: denied { write } for pid=1574 comm="httpd" name="ipa_memcached" dev=dm-1 ino=14939 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcached\
_var_run_t:s0 tclass=dir
This occurs when we execute this python code:
dst = open(session_krbccache_pathname, 'w')
IOError: [Errno 13] Permission denied: '/var/run/ipa_memcached/krbcc_069d9d7d6213'
Is the httpd_manage_ipa boolean enabled? I have found a bug in an interface. no, the httpd_manage_ipa boolean had not been set, after enabling it things appear to be working. Thank you. Great. Still getting AVCs versions: ipa-server-2.2.0-2.el6.x86_64 selinux-policy-3.7.19-138.el6.noarch pki-selinux-9.0.3-21.el6.noarch ipa-server-selinux-2.2.0-2.el6.x86_64 selinux-policy-targeted-3.7.19-138.el6.noarch AUDIT LOG :: # cat /var/log/audit/audit.log | audit2allow #============= httpd_t ============== #!!!! This avc can be allowed using the boolean 'httpd_manage_ipa' allow httpd_t memcached_var_run_t:dir write; HTTPD LOG :: [Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220] mod_wsgi (pid=1558): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220] Traceback (most recent call last): [Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220] File "/usr/share/ipa/wsgi.py", line 48, in application [Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220] return api.Backend.session(environ, start_response) [Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 148, in __call__ [Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220] return self.route(environ, start_response) [Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 160, in route [Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220] return app(environ, start_response) [Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 521, in __call__ [Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220] krbccache_pathname = store_krbccache_file(ccache_data) [Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220] File "/usr/lib/python2.6/site-packages/ipalib/session.py", line 1080, in store_krbccache_file [Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220] dst = open(krbccache_pathname, 'w') [Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220] IOError: [Errno 13] Permission denied: '/var/run/ipa_memcached/krbcc_1558' [Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220] mod_wsgi (pid=1557): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220] Traceback (most recent call last): [Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220] File "/usr/share/ipa/wsgi.py", line 48, in application [Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220] return api.Backend.session(environ, start_response) [Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 148, in __call__ [Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220] return self.route(environ, start_response) [Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 160, in route [Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220] return app(environ, start_response) [Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 521, in __call__ [Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220] krbccache_pathname = store_krbccache_file(ccache_data) [Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220] File "/usr/lib/python2.6/site-packages/ipalib/session.py", line 1080, in store_krbccache_file [Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220] dst = open(krbccache_pathname, 'w') [Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220] IOError: [Errno 13] Permission denied: '/var/run/ipa_memcached/krbcc_1557' re comment #25, I believe the problem is not with the policy but rather with the fact we haven't enabled the SELinux boolean. I thought there was a ticket open to enable the boolean but a very quick check does not show it. Yes, audit2allow also says #============= httpd_t ============== #!!!! This avc can be allowed using the boolean 'httpd_manage_ipa' allow httpd_t memcached_var_run_t:dir write; Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0780.html |