Bug 1009177 - RHEL7 ipa-client-install AVC denial for ipa-submit
RHEL7 ipa-client-install AVC denial for ipa-submit
Status: CLOSED DUPLICATE of bug 1012109
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
Unspecified Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
: 1010992 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-17 18:03 EDT by Scott Poore
Modified: 2015-02-18 10:58 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-03 05:02:24 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Scott Poore 2013-09-17 18:03:28 EDT
Description of problem:

During automated testing, I see this when ipa-client-install is run:

time->Tue Sep 17 16:56:52 2013
type=SYSCALL msg=audit(1379451412.344:120): arch=c000003e syscall=248 success=yes exit=704914934 a0=7f3760054b83 a1=7f376174a950 a2=0 a3=0 items=0 ppid=12612 pid=12655 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa-submit" exe="/usr/libexec/certmonger/ipa-submit" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1379451412.344:120): avc:  denied  { write } for  pid=12655 comm="ipa-submit" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=key
----
time->Tue Sep 17 16:56:52 2013
type=SYSCALL msg=audit(1379451412.344:121): arch=c000003e syscall=250 success=yes exit=0 a0=b a1=2a0425f6 a2=0 a3=0 items=0 ppid=12612 pid=12655 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa-submit" exe="/usr/libexec/certmonger/ipa-submit" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1379451412.344:121): avc:  denied  { read } for  pid=12655 comm="ipa-submit" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=key


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-80.el7.noarch


How reproducible:
yet unknown 

Steps to Reproduce:
1.  Install IPA Master
2.  Install IPA Client (w/ ipa-client-install)
3.  ausearch -m avc

Actual results:
lists AVC denial from above.

Expected results:
no denials expected.


Additional info:
Comment 2 Martin Kosek 2013-09-18 04:15:47 EDT
ipa-submit is a certmonger component.

# rpm -ql certmonger | grep ipa-submit
/usr/libexec/certmonger/ipa-submit
/usr/share/doc/certmonger-0.67/ipa-submit.txt
/usr/share/man/man8/certmonger-ipa-submit.8.gz

I tried to run ipa-client-install and hit the same bug:

# rpm -q selinux-policy
selinux-policy-3.12.1-80.el7.noarch

# ipa-client-install 
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Discovery was successful!
Hostname: vm-052.idm.lab.bos.redhat.com
Realm: IDM.LAB.BOS.REDHAT.COM
DNS Domain: idm.lab.bos.redhat.com
IPA Server: vm-086.idm.lab.bos.redhat.com
BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

Continue to configure the system with these values? [no]: ^C[root@vm-052 ~]# truncate -s 0 /var/log/audit/audit.log 
[root@vm-052 ~]# ipa-client-install ^C
[root@vm-052 ~]# getenforce 
Enforcing
[root@vm-052 ~]# ipa-client-install 
...
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.

# ipa-getcert list
Number of certificates and requests being tracked: 1.
Request ID '20130918081005':
	status: CA_UNREACHABLE
	ca-error: Server failed request, will retry: -504 (HTTP response code is 401, not 200).
	stuck: yes
	key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - vm-052.idm.lab.bos.redhat.com',token='NSS Certificate DB'
	certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - vm-052.idm.lab.bos.redhat.com'
	CA: IPA
	issuer: 
	subject: 
	expires: unknown
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

# ausearch -m avc  -ts today
----
time->Wed Sep 18 04:10:05 2013
type=SYSCALL msg=audit(1379491805.335:131): arch=c000003e syscall=248 success=no exit=-13 a0=7fb6e47afb83 a1=7fb6e704b3f0 a2=0 a3=0 items=0 ppid=14368 pid=14384 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa-submit" exe="/usr/libexec/certmonger/ipa-submit" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1379491805.335:131): avc:  denied  { write } for  pid=14384 comm="ipa-submit" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=key

# cat /var/log/audit/audit.log | audit2allow 


#============= certmonger_t ==============
allow certmonger_t self:key write;

# rpm -q selinux-policy
selinux-policy-3.12.1-80.el7.noarch

Moving to selinux-policy component.
Comment 3 Martin Kosek 2013-09-18 04:27:10 EDT
Note that there is another potentially related bug from IPA team: Bug 1007606.
Comment 4 Miroslav Grepl 2013-09-18 04:43:19 EDT
Did it work with this local policy?
Comment 6 Jan Cholasta 2013-09-19 02:39:16 EDT
It does indeed work with the local policy.
Comment 7 Scott Poore 2013-09-24 10:50:50 EDT
So does that mean this needs to be added to selinux-policy?
Comment 8 Martin Kosek 2013-09-24 12:10:15 EDT
Yes - Jan verified in Comment 6 that the policy fixes it.

Now I assume the ball is on Mirek's playground to update the policy.
Comment 9 Miroslav Grepl 2013-09-30 10:45:14 EDT
I added fixes.
Comment 10 Miroslav Grepl 2013-09-30 10:45:35 EDT
*** Bug 1010992 has been marked as a duplicate of this bug. ***
Comment 11 Miroslav Grepl 2013-09-30 11:09:06 EDT
(In reply to Miroslav Grepl from comment #9)
> I added fixes.

to Fedora. Will back port them.
Comment 13 Miroslav Grepl 2013-10-03 05:02:24 EDT

*** This bug has been marked as a duplicate of bug 1012109 ***

Note You need to log in before you can comment on or make changes to this bug.