Bug 851318

Summary: RHEL5 ipa-client-install creates krb5.conf with incorrect selinux context
Product: Red Hat Enterprise Linux 5 Reporter: Scott Poore <spoore>
Component: ipa-clientAssignee: Rob Crittenden <rcritten>
Status: CLOSED WONTFIX QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.9CC: dpal, jgalipea, mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
Sometimes, the krb5.conf file contains incorrect SELinux context, namely, when the krb5.conf is not created by default, or the IPA client is installed, un-installed, or re-installed. AVC denials can therefore occur in such scenarios.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-08 06:35:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott Poore 2012-08-23 18:58:02 UTC 
Description of problem:

AVC denials seen for sssd reading/writing krb5.conf.  Troubleshooting this, I found that the root cause was that ipa-client-install isn't specifically restoring the selinux if it creates /etc/krb5.conf from scratch.


Version-Release number of selected component (if applicable):
ipa-client-2.1.3-4.el5

How reproducible:
always

Steps to Reproduce:
1. <setup IPA server>
2. yum -y install ipa-client
3. rm /etc/krb5.conf
4. ipa-client-install -s --domain=$DOMAIN --realm=$RELM -p $ADMINID -w $ADMINPW -U --server=$MASTER
5. ausearch -m avc 
6. ls -lZ /etc/krb5.conf

Actual results:

5. Will see AVC denials for krb5.conf:

time->Wed Aug 22 22:02:15 2012
type=SYSCALL msg=audit(1345687335.209:160): arch=c000003e syscall=21 success=no exit=-13 a0=12a59bc0 a1=2 a2=2b4e67b81ba0 a3=0 items=0 ppid=26625 pid=26628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=root:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1345687335.209:160): avc:  denied  { write } for  pid=26628 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=4949267 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug 22 22:02:15 2012
type=SYSCALL msg=audit(1345687335.804:161): arch=c000003e syscall=21 success=no exit=-13 a0=1c60c3f0 a1=2 a2=0 a3=0 items=0 ppid=26628 pid=26640 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ldap_child" exe="/usr/libexec/sssd/ldap_child" subj=root:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1345687335.804:161): avc:  denied  { write } for  pid=26640 comm="ldap_child" name="krb5.conf" dev=dm-0 ino=4949267 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug 22 22:02:15 2012
type=SYSCALL msg=audit(1345687335.841:162): arch=c000003e syscall=21 success=no exit=-13 a0=136753d0 a1=2 a2=2b4e67b81ba0 a3=65726373662f7274 items=0 ppid=26625 pid=26628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=root:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1345687335.841:162): avc:  denied  { write } for  pid=26628 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=4949267 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug 22 22:02:15 2012
type=SYSCALL msg=audit(1345687335.842:163): arch=c000003e syscall=21 success=no exit=-13 a0=136753b0 a1=2 a2=2b4e67b81ba0 a3=65726373662f7274 items=0 ppid=26625 pid=26628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=root:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1345687335.842:163): avc:  denied  { write } for  pid=26628 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=4949267 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file

6. Will see etc_t instead of proper krb_conf_t for krb5.conf:

-rw-r--r--  root root root:object_r:etc_t              /etc/krb5.conf

Expected results:

creates /etc/krb5.conf with expected context:

[root@vm6 ipa-nis-integration]# restorecon /etc/krb5.conf
[root@vm6 ipa-nis-integration]# ls -lZ /etc/krb5.conf
-rw-r--r--  root root system_u:object_r:krb5_conf_t    /etc/krb5.conf


Additional info:
Comment 1 Dmitri Pal 2012-08-30 04:53:25 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3044
Comment 2 RHEL Program Management 2012-08-30 20:47:04 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 3 RHEL Program Management 2012-10-30 06:11:33 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 6 Martin Kosek 2013-10-07 10:26:46 UTC 
Closing upstream ticket, this is not a problem in upstream FreeIPA.
Comment 8 Martin Kosek 2013-10-08 06:35:39 UTC 
I am closing the ticket, it is a known issue of RHEL-5.x and was documented as such.