Bug 796351

Summary: AVC when dirsrv attempts to run prelink with NSS db in FIPS mode
Product: Red Hat Enterprise Linux 6 Reporter: Rich Megginson <rmeggins>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: urgent    
Version: 6.3CC: amarecek, dominick.grift, dwalsh, dwmw2, emaldona, mgrepl, mmalik, msvoboda, nkinder, syeghiay
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-138.el6 Doc Type: Bug Fix
Doc Text:
Previously, SELinux received deny AVC messages if the dirsrv utility executed the "modutil -dbdir /etc/dirsrv/slapd-instname -fips" command to enable FIPS mode in an NSS (Network Security Service) key/cert database. This happened because the NSS_Initialize() function attempted to use prelink which uses the dirsrv_t context. With this update, prelink with the dirsrv_t context is allowed to relabel its own temporary files under these circumstances and the problem no longer occurs.
 Story Points: ---
Clone Of: 746017 Environment:
Last Closed: 2012-06-20 12:31:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 746017    
Bug Blocks: 796423    

Description Rich Megginson 2012-02-22 17:56:28 UTC 
+++ This bug was initially created as a clone of Bug #746017 +++

Created attachment 528064 [details]
AVC and SYSCALL messages

If dirsrv uses
modutil -dbdir /etc/dirsrv/slapd-instname -fips true
to enable FIPS mode in the NSS key/cert db, we get AVC messages because NSS_Initialize attempts to use prelink.

--- Additional comment from nkinder on 2011-10-13 13:17:34 EDT ---

I believe that we just need to add the following to the dirsrv policy:

prelink_exec(dirsrv_t);

We will test this to see if anything else is required.

--- Additional comment from rmeggins on 2011-10-13 15:36:14 EDT ---

Created attachment 528089 [details]
after loading new policy

I did the following on F-15:
1) create a file dirsrv-prelink.te with the following contents:
policy_module(dirsrv-prelink,1.0.0)

require {
    type dirsrv_t;
}

prelink_exec(dirsrv_t);

2) make -f /usr/share/selinux/devel/Makefile
3) semodule -i dirsrv-prelink.pp

After restarting dirsrv, I got the attached AVCs

--- Additional comment from rmeggins on 2011-10-13 15:37:17 EDT ---

Created attachment 528094 [details]
after running restorecon /usr/sbin/ns-slapd

Then I ran restorecon /usr/sbin/ns-slapd, and I got the attached AVC

--- Additional comment from nkinder on 2011-10-13 18:36:50 EDT ---

(In reply to comment #2)
> Created attachment 528089 [details]
> after loading new policy
> 
> I did the following on F-15:
> 1) create a file dirsrv-prelink.te with the following contents:
> policy_module(dirsrv-prelink,1.0.0)
> 
> require {
>     type dirsrv_t;
> }
> 
> prelink_exec(dirsrv_t);
> 
> 2) make -f /usr/share/selinux/devel/Makefile
> 3) semodule -i dirsrv-prelink.pp
> 
> After restarting dirsrv, I got the attached AVCs

Perhaps we should use 'prelink_domtrans(dirsrv_t)' instead of 'prelink_exec(dirsrv_t)'.  This will make prelink run in it's own context instead of using the dirsrv_t context.  Could you try changing the policy module and testing with the prelink_domtrans macro?

--- Additional comment from rmeggins on 2011-10-13 18:52:12 EDT ---

(In reply to comment #4)
> (In reply to comment #2)
> > Created attachment 528089 [details]
> > after loading new policy
> > 
> > I did the following on F-15:
> > 1) create a file dirsrv-prelink.te with the following contents:
> > policy_module(dirsrv-prelink,1.0.0)
> > 
> > require {
> >     type dirsrv_t;
> > }
> > 
> > prelink_exec(dirsrv_t);
> > 
> > 2) make -f /usr/share/selinux/devel/Makefile
> > 3) semodule -i dirsrv-prelink.pp
> > 
> > After restarting dirsrv, I got the attached AVCs
> 
> Perhaps we should use 'prelink_domtrans(dirsrv_t)' instead of
> 'prelink_exec(dirsrv_t)'.  This will make prelink run in it's own context
> instead of using the dirsrv_t context.  Could you try changing the policy
> module and testing with the prelink_domtrans macro?

Yep, changing prelink_exec to prelink_domtrans in the above worked.  No messages, no AVCs, in Permissive and in Enforcing mode.

--- Additional comment from mgrepl on 2011-10-14 08:10:10 EDT ---

Well, this is not something what we want to allow by default.

Dan,
AFAIK we had the similar bug.

--- Additional comment from dwalsh on 2011-10-14 08:56:11 EDT ---

I would prefer not to transition to prelink and allow the relabel for the current domain.  prelink is a pretty powerfull domain, since it can read and write binaries.  If you could somehow fool prelink you could take a system over.  Allowing relabelto and relabelfrom types that you can read/write, I do not think is a problem.

--- Additional comment from mgrepl on 2011-10-21 05:47:13 EDT ---

Fixed in selinux-policy-3.9.16-44.fc15
Comment 1 Rich Megginson 2012-02-22 17:58:05 UTC 
Due to the nss rebase to 3.13 in RHEL 6, this bug will now affect RHEL 6.2.z.  Therefore this issue MUST BE FIXED IN RHEL6.2.Z or 389-ds-base will break in FIPS mode.

The NSS rebase bug for 6.2.z - https://bugzilla.redhat.com/show_bug.cgi?id=744070
Comment 2 Elio Maldonado Batiz 2012-02-22 19:45:48 UTC 
cloned for rhel-6.2.z as https://bugzilla.redhat.com/show_bug.cgi?id=744072
Wrapping up testing on the nss update.
Comment 4 Miroslav Grepl 2012-02-22 20:30:03 UTC 
Fixed in selinux-policy-3.7.19-138.el6
Comment 6 Miroslav Svoboda 2012-02-24 14:28:19 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, SELinux received deny AVC messages if the dirsrv utility executed the "modutil -dbdir /etc/dirsrv/slapd-instname -fips" command to enable FIPS mode in an NSS (Network Security Service) key/cert database. This happened because the NSS_Initialize() function attempted to use prelink which uses the dirsrv_t context. With this update, prelink with the dirsrv_t context is allowed to relabel its own temporary files under these circumstances and the problem no longer occurs.
Comment 10 errata-xmlrpc 2012-06-20 12:31:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html