Description of problem: FreeIPA allows selinux user mapping. As such I have my administrative account mapped to staff_t. When on the domain controller after sudoing with sudo -i -r sysadm_r -t sysadm_t a number of ipa commands do not work. Additionally, tools such as ipa-getcert and ipa-backup/restore do not work. This is due to SELinux denials on the ldap slapi socket not being accessible to sysadm_t. This should just need a policy to allow it. How reproducible: Always Steps to Reproduce: 1. Install a FreeIPA DC, or gain access to the env with a user capable of sudo 2. Add a selinux user map for that user to staff_t staff_r 3. Sudo on the FreeIPA dc with sudo -i -r sysadm_r -t sysadm_t 4. Try to run ipa-backup or ipa user-find Actual results: Command errors due to SELinux denials. Expected results: Command should work Additional info: Perhaps the slapi socket should be avalible to staff_t users also? Sudoing to need to manage the domain when you have already authenticated as a domain admin seems like it defeats part of the purpose of this system.
Please provide the AVCs you are seeing.
Created attachment 874206 [details] AVCs These avc's were generated trying to run ipa-backup in permissive as sysadm_t
FreeIPA no longer contains own SELinux policy package but instead depends on system SELinux policy (selinux-policy-targeted) which contains rules for FreeIPA. Mirek, what is your opinion on this? Are these AVCs something that should be fixed in system policy?
Ok I think we want to add a new type for ipa-backup.
Why does it need to be a new type for ipa-backup? Is there a reason that a user as staff_u or sysadm_u can't just use the ldapi socket? (Some of the other types I can understand though ie pki related interactions)
#============= sysadm_t ============== #!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap' allow sysadm_t dirsrv_t:unix_stream_socket connectto; allow sysadm_t dirsrv_var_lib_t:file { execute execute_no_trans }; #!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap' allow sysadm_t dirsrv_var_run_t:sock_file write; allow sysadm_t memcached_var_run_t:sock_file write; So I am interested in type=AVC msg=audit(1394764549.519:4449): avc: denied { execute } for pid=28012 comm="ipa-backup" name="db2ldif" dev="dm-3" ino=17427156 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:dirsrv_var_lib_t:s0 tclass=file What does "db2ldif" do? What is a path to it in /var/lib/dirsrv and could we label it as bin_t?
db2ldif converts the LDAP database into an LDIF file. The script lives in /var/lib/dirsrv/scripts-INSTANCE/db2ldif (for now, I think there may be plans to move it). cc'd 389-ds engineer about relabeling.
(In reply to Rob Crittenden from comment #7) > db2ldif converts the LDAP database into an LDIF file. The script lives in > /var/lib/dirsrv/scripts-INSTANCE/db2ldif (for now, I think there may be > plans to move it). > > cc'd 389-ds engineer about relabeling. Yes. The plan is to copy all of the scripts into /usr/sbin, then eventually get rid of /usr/lib[64]/dirsrv/slapd-INST/* (or /var/lib/dirsrv/scripts-INSTANCE for IPA).
Ok then try to test it with #chcon -R -t bin_t /var/lib/dirsrv/scripts-INSTANCE #setsebool authlogin_nsswitch_use_ldap on
Will test at the soonest possible convenience.
That's a lot closer, but I still get the following: type=AVC msg=audit(1395706442.525:1623): avc: denied { write } for pid=8466 comm="ipa-backup" name="ipa_memcached" dev="tmpfs" ino=512403 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memcached_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1395706442.525:1623): avc: denied { connectto } for pid=8466 comm="ipa-backup" path="/run/ipa_memcached/ipa_memcached" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:memcached_t:s0 tclass=unix_stream_socket
Added commit cbf1c93119bff238267e604b8f525ff413126e77 Author: Miroslav Grepl <mgrepl> Date: Tue Mar 25 11:01:07 2014 +0100 Allow unprivusers to connect to memcached commit 5778464a6636668be8cb05b66d65250b0b6acea9 Author: Miroslav Grepl <mgrepl> Date: Tue Mar 25 10:58:47 2014 +0100 label /var/lib/dirsrv/scripts-INSTANCE as bin_t to all Fedoras.
selinux-policy-3.12.1-74.26.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.26.fc19
Package selinux-policy-3.12.1-74.26.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.26.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-6075/selinux-policy-3.12.1-74.26.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-74.26.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.