Bug 866597

Summary: Selinux issues with IPA trusts
Product: [Fedora] Fedora Reporter: Steeve Goveas <sgoveas>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: abokovoy, dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-20 16:19:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
selinux logs none

Description Steeve Goveas 2012-10-15 17:21:10 UTC
Created attachment 627558 [details]
selinux logs

Description of problem:
1. libkrb5 initialization of security context (within smb python bindings) which manifests in httpd being denied to access /etc/selinux/targeted/*

2. Set of denials for winbindd and krb5kdc

Version-Release number of selected component (if applicable):
# rpm -qa | grep selinux-policy
selinux-policy-devel-3.11.1-36.fc18.noarch
selinux-policy-3.11.1-36.fc18.noarch
selinux-policy-targeted-3.11.1-36.fc18.noarch

How reproducible:


Steps to Reproduce:
Logs attached
  
Actual results:


Expected results:


Additional info:

Comment 1 Alexander Bokovoy 2012-10-15 17:23:52 UTC
This is when trying to test IPA v3 AD trusts with instructions at https://fedoraproject.org/wiki/QA:Testcase_freeipav3_ad_trust. SELinux policy was targeted.

Comment 2 Miroslav Grepl 2012-10-16 11:45:44 UTC
Could you test it with the latest F18 build and with

# setsebool authlogin_nsswitch_use_ldap on

Comment 3 Alexander Bokovoy 2012-10-16 11:51:23 UTC
Miroslav, authlogin_nsswitch_use_ldap has no relation to IPA. We do not set and do not want to set that variable.

Comment 4 Miroslav Grepl 2012-10-16 12:03:23 UTC
Yes. I just wanted to see if a new policy build with this boolean fixes problems for you.

Comment 5 Alexander Bokovoy 2012-10-16 12:17:55 UTC
Here are the AVCs before change of the authlogin_nsswitch_use_ldap:
--------------------------------
type=AVC msg=audit(1350389564.467:358): avc:  denied  { write } for  pid=1404 comm="winbindd" name="slapd-IPA-TEAM.socket" dev="tmpfs" ino=23656 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:dirsrv_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1350389564.467:358): avc:  denied  { connectto } for  pid=1404 comm="winbindd" path="/run/slapd-IPA-TEAM.socket" scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1350389564.467:358): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=7fff39880ed0 a2=6e a3=7fff39880ed2 items=0 ppid=1400 pid=1404 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="winbindd" exe="/usr/sbin/winbindd" subj=system_u:system_r:winbind_t:s0 key=(null)
type=MAC_POLICY_LOAD msg=audit(1350389583.782:359): policy loaded auid=0 ses=2
type=SYSCALL msg=audit(1350389583.782:359): arch=c000003e syscall=1 success=yes exit=5033185 a0=4 a1=7f7d42291000 a2=4ccce1 a3=7fff2c3697a0 items=0 ppid=1881 pid=1900 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="load_policy" exe="/usr/sbin/load_policy" subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null)
type=USER_AVC msg=audit(1350389585.806:360): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1350389585.809:361): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=SERVICE_START msg=audit(1350389585.856:362): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="smb" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1350389586.181:363): avc:  denied  { write } for  pid=1914 comm="winbindd" name="slapd-IPA-TEAM.socket" dev="tmpfs" ino=23656 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:dirsrv_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1350389586.181:363): avc:  denied  { connectto } for  pid=1914 comm="winbindd" path="/run/slapd-IPA-TEAM.socket" scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1350389586.181:363): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=7fff39880d00 a2=6e a3=7fff39880a50 items=0 ppid=1400 pid=1914 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="winbindd" exe="/usr/sbin/winbindd" subj=system_u:system_r:winbind_t:s0 key=(null)
--------------------------------

after changing the variable there are no AVCs anymore.

Comment 6 Miroslav Grepl 2012-10-16 12:20:26 UTC
Great. Fixed in selinux-policy-targeted-3.11.1-40.fc18.noarch

Comment 7 Fedora Update System 2012-10-23 20:34:55 UTC
selinux-policy-3.11.1-43.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-43.fc18

Comment 8 Fedora Update System 2012-10-26 15:37:55 UTC
selinux-policy-3.11.1-46.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-46.fc18

Comment 9 Fedora Update System 2012-10-26 19:27:22 UTC
Package selinux-policy-3.11.1-46.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-46.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16862/selinux-policy-3.11.1-46.fc18
then log in and leave karma (feedback).

Comment 10 Steeve Goveas 2012-12-20 09:03:45 UTC
Version
selinux-policy-3.11.1-66.fc18.noarch

Successfully carried out testing of IPA AD trust with selinux in enforcing mode following steps provided at this link. No avc denials found

https://fedoraproject.org/wiki/QA:Testcase_freeipav3_ad_trust

Comment 11 Fedora Update System 2012-12-20 16:19:20 UTC
selinux-policy-3.11.1-46.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.