1105212 – FreeIPA's httpd cannot read CRL generated by PKI

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1105212 - FreeIPA's httpd cannot read CRL generated by PKI

Summary: FreeIPA's httpd cannot read CRL generated by PKI

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Stanislav Zidek
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1082754 1115418 1152219
TreeView+	depends on / blocked

Reported:	2014-06-05 15:29 UTC by Martin Kosek
Modified:	2015-03-05 10:39 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1115418 1152219 (view as bug list)
Environment:
Last Closed:	2015-03-05 10:39:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:0458	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2015-03-05 15:17:00 UTC

Description Martin Kosek 2014-06-05 15:29:02 UTC

Description of problem:
This is a follow up to Bug 976308. FreeIPA public CRL file is no longer accessible to httpd due to SELinux AVC and thus it's users cannot download the certificate revocation list.

AVC:
# ausearch -m avc -ts today
----
time->Wed Jun  4 22:55:08 2014
type=SYSCALL msg=audit(1401936908.044:93): arch=c000003e syscall=6 success=no exit=-13 a0=7fbc53520710 a1=7fffb68175d0 a2=7fffb68175d0 a3=0 items=0 ppid=2047 pid=2056 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1401936908.044:93): avc:  denied  { getattr } for  pid=2056 comm="httpd" path="/var/lib/ipa" dev="dm-1" ino=1527033 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=dir
----
time->Wed Jun  4 22:55:08 2014
type=SYSCALL msg=audit(1401936908.043:92): arch=c000003e syscall=4 success=no exit=-13 a0=7fbc53520610 a1=7fffb68175d0 a2=7fffb68175d0 a3=7fbc473b5752 items=0 ppid=2047 pid=2056 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1401936908.043:92): avc:  denied  { search } for  pid=2056 comm="httpd" name="ipa" dev="dm-1" ino=1527033 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=dir


/var/log/httpd/error_log:
[Wed Jun 04 22:55:08.044848 2014] [core:error] [pid 2056] (13)Permission denied: [client 10.16.78.67:49357] AH00035: access to /ipa/crl/MasterCRL.bin denied (filesystem path '/var/lib/ipa') because search permissions are missing on a component of the path

# ls -lZd /var/
drwxr-xr-x. root root system_u:object_r:var_t:s0       /var/
# ls -lZd /var/lib
drwxr-xr-x. root root system_u:object_r:var_lib_t:s0   /var/lib
# ls -lZd /var/lib/ipa
drwxr-xr-x. root root system_u:object_r:ipa_var_lib_t:s0 /var/lib/ipa
# ls -lZd /var/lib/ipa/pki-ca/
drwxr-xr-x. root root system_u:object_r:ipa_var_lib_t:s0 /var/lib/ipa/pki-ca/
# ls -lZd /var/lib/ipa/pki-ca/publish/
drwxrwxr-x. root pkiuser system_u:object_r:pki_tomcat_cert_t:s0 /var/lib/ipa/pki-ca/publish/
# ls -lZ /var/lib/ipa/pki-ca/publish/MasterCRL.bin 
lrwxrwxrwx. root root system_u:object_r:pki_tomcat_cert_t:s0 /var/lib/ipa/pki-ca/publish/MasterCRL.bin -> /var/lib/ipa/pki-ca/publish/MasterCRL-20140605-111951.der



Version-Release number of selected component (if applicable):
ipa-server-3.3.3-28.el7.x86_64
httpd-2.4.6-17.el7.x86_64
selinux-policy-3.12.1-153.el7.noarch

I reproduced this issue also in Fedora 20 (selinux-policy-3.12.1-166.fc20.noarch)

How reproducible:
Always

Steps to Reproduce:
1. Install ipa-server package
2. Configure FreeIPA server: ipa-server-install
3. Download CRL: wget http://`hostname`/ipa/crl/MasterCRL.bin

Actual results:
HTTP request sent, awaiting response... 403 Forbidden

Expected results:
2014-06-05 17:24:54 (30.4 MB/s) - ‘MasterCRL.bin’ saved [408/408]

Additional info:

Comment 1 Martin Kosek 2014-06-05 15:39:21 UTC

I would consider this a regression given CRL could be downloaded in RHEL-6 (though only via https):

$ wget https://`hostname`/ipa/crl/MasterCRL.bin --no-check-certificate
selinux-policy-3.7.19-231.el6_5.3.noarch
ipa-server-3.0.0-37.el6.x86_64

Comment 4 Miroslav Grepl 2014-06-06 08:03:09 UTC

What are you getting in permissive mode?

Comment 5 Martin Kosek 2014-06-06 10:25:22 UTC

Hmm, actually I get no AVC when in permissive mode:

# setenforce 0
# wget http://`hostname`/ipa/crl/MasterCRL.bin
2014-06-06 06:20:54 (51.3 MB/s) - ‘MasterCRL.bin’ saved [414/414]
# ausearch -m avc -ts today
<no matches>

This changes when I enable enforcing mode:

# setenforce 1
# wget http://`hostname`/ipa/crl/MasterCRL.bin
2014-06-06 06:21:36 ERROR 403: Forbidden.
# ausearch -m avc -ts today
----
time->Fri Jun  6 06:21:36 2014
type=SYSCALL msg=audit(1402050096.299:407): arch=c000003e syscall=4 success=no exit=-13 a0=7fd163cbc7c0 a1=7fff1058a1a0 a2=7fff1058a1a0 a3=7fd158642752 items=0 ppid=5172 pid=5995 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1402050096.299:407): avc:  denied  { search } for  pid=5995 comm="httpd" name="ipa" dev="dm-1" ino=1527033 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=dir
----
time->Fri Jun  6 06:21:36 2014
type=SYSCALL msg=audit(1402050096.299:408): arch=c000003e syscall=6 success=no exit=-13 a0=7fd163cbc8c0 a1=7fff1058a1a0 a2=7fff1058a1a0 a3=0 items=0 ppid=5172 pid=5995 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1402050096.299:408): avc:  denied  { getattr } for  pid=5995 comm="httpd" path="/var/lib/ipa" dev="dm-1" ino=1527033 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=dir


I got no AVC in permissive mode even when I disabled noaudit with
# semodule -DB

Comment 6 Miroslav Grepl 2014-06-06 12:19:58 UTC

I see we have

httpd_manage_ipa 

boolean. Probably it should be a part of this boolean. Or do we want to allow it by default?

Comment 7 Martin Kosek 2014-06-09 07:19:42 UTC

I am personally OK with both options, we turn on httpd_manage_ipa during FreeIPA installation. It depends what is the semantics of this sebool.

Given the man page description of the sebool

"If you want to allow httpd processes to manage IPA content, you must turn on the httpd_manage_ipa boolean."

I would say yes - it should be part of the boolean.

Comment 8 Martin Kosek 2014-07-02 10:17:35 UTC

This issue is still present also in Fedora 20, I will clone the bug.

Comment 10 Lukas Vrabec 2014-07-02 12:35:01 UTC

Link for selinux-policy package with fix:
http://koji.fedoraproject.org/koji/buildinfo?buildID=541542

Comment 11 Petr Viktorin (pviktori) 2014-07-04 17:02:57 UTC

Spec fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/5434851efd394c27ab6445a4b7544767452e20a5

Comment 12 Martin Kosek 2014-07-04 18:01:29 UTC

Restoring the state back to ASSIGNED - Petr did not notice this is a selinux-policy bug, not ipa one.

Comment 13 Miroslav Grepl 2014-07-14 09:04:43 UTC

commit 0293b601ec803a1e2b6ec1b8c1e6e40950bafa78
Author: Miroslav Grepl <mgrepl>
Date:   Wed Jul 2 12:53:45 2014 +0200

    Allow apache to search ipa lib files by default

Comment 18 errata-xmlrpc 2015-03-05 10:39:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html

Note You need to log in before you can comment on or make changes to this bug.