Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1105212

Summary: FreeIPA's httpd cannot read CRL generated by PKI
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Stanislav Zidek <szidek>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.0CC: adingman, lvrabec, mmalik, pviktori, szidek
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1115418 1152219 (view as bug list) Environment:
Last Closed: 2015-03-05 10:39:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1082754, 1115418, 1152219    

Description Martin Kosek 2014-06-05 15:29:02 UTC 
Description of problem:
This is a follow up to Bug 976308. FreeIPA public CRL file is no longer accessible to httpd due to SELinux AVC and thus it's users cannot download the certificate revocation list.

AVC:
# ausearch -m avc -ts today
----
time->Wed Jun  4 22:55:08 2014
type=SYSCALL msg=audit(1401936908.044:93): arch=c000003e syscall=6 success=no exit=-13 a0=7fbc53520710 a1=7fffb68175d0 a2=7fffb68175d0 a3=0 items=0 ppid=2047 pid=2056 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1401936908.044:93): avc:  denied  { getattr } for  pid=2056 comm="httpd" path="/var/lib/ipa" dev="dm-1" ino=1527033 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=dir
----
time->Wed Jun  4 22:55:08 2014
type=SYSCALL msg=audit(1401936908.043:92): arch=c000003e syscall=4 success=no exit=-13 a0=7fbc53520610 a1=7fffb68175d0 a2=7fffb68175d0 a3=7fbc473b5752 items=0 ppid=2047 pid=2056 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1401936908.043:92): avc:  denied  { search } for  pid=2056 comm="httpd" name="ipa" dev="dm-1" ino=1527033 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=dir


/var/log/httpd/error_log:
[Wed Jun 04 22:55:08.044848 2014] [core:error] [pid 2056] (13)Permission denied: [client 10.16.78.67:49357] AH00035: access to /ipa/crl/MasterCRL.bin denied (filesystem path '/var/lib/ipa') because search permissions are missing on a component of the path

# ls -lZd /var/
drwxr-xr-x. root root system_u:object_r:var_t:s0       /var/
# ls -lZd /var/lib
drwxr-xr-x. root root system_u:object_r:var_lib_t:s0   /var/lib
# ls -lZd /var/lib/ipa
drwxr-xr-x. root root system_u:object_r:ipa_var_lib_t:s0 /var/lib/ipa
# ls -lZd /var/lib/ipa/pki-ca/
drwxr-xr-x. root root system_u:object_r:ipa_var_lib_t:s0 /var/lib/ipa/pki-ca/
# ls -lZd /var/lib/ipa/pki-ca/publish/
drwxrwxr-x. root pkiuser system_u:object_r:pki_tomcat_cert_t:s0 /var/lib/ipa/pki-ca/publish/
# ls -lZ /var/lib/ipa/pki-ca/publish/MasterCRL.bin 
lrwxrwxrwx. root root system_u:object_r:pki_tomcat_cert_t:s0 /var/lib/ipa/pki-ca/publish/MasterCRL.bin -> /var/lib/ipa/pki-ca/publish/MasterCRL-20140605-111951.der



Version-Release number of selected component (if applicable):
ipa-server-3.3.3-28.el7.x86_64
httpd-2.4.6-17.el7.x86_64
selinux-policy-3.12.1-153.el7.noarch

I reproduced this issue also in Fedora 20 (selinux-policy-3.12.1-166.fc20.noarch)

How reproducible:
Always

Steps to Reproduce:
1. Install ipa-server package
2. Configure FreeIPA server: ipa-server-install
3. Download CRL: wget http://`hostname`/ipa/crl/MasterCRL.bin

Actual results:
HTTP request sent, awaiting response... 403 Forbidden

Expected results:
2014-06-05 17:24:54 (30.4 MB/s) - ‘MasterCRL.bin’ saved [408/408]

Additional info:
Comment 1 Martin Kosek 2014-06-05 15:39:21 UTC 
I would consider this a regression given CRL could be downloaded in RHEL-6 (though only via https):

$ wget https://`hostname`/ipa/crl/MasterCRL.bin --no-check-certificate
selinux-policy-3.7.19-231.el6_5.3.noarch
ipa-server-3.0.0-37.el6.x86_64
Comment 4 Miroslav Grepl 2014-06-06 08:03:09 UTC 
What are you getting in permissive mode?
Comment 5 Martin Kosek 2014-06-06 10:25:22 UTC 
Hmm, actually I get no AVC when in permissive mode:

# setenforce 0
# wget http://`hostname`/ipa/crl/MasterCRL.bin
2014-06-06 06:20:54 (51.3 MB/s) - ‘MasterCRL.bin’ saved [414/414]
# ausearch -m avc -ts today
<no matches>

This changes when I enable enforcing mode:

# setenforce 1
# wget http://`hostname`/ipa/crl/MasterCRL.bin
2014-06-06 06:21:36 ERROR 403: Forbidden.
# ausearch -m avc -ts today
----
time->Fri Jun  6 06:21:36 2014
type=SYSCALL msg=audit(1402050096.299:407): arch=c000003e syscall=4 success=no exit=-13 a0=7fd163cbc7c0 a1=7fff1058a1a0 a2=7fff1058a1a0 a3=7fd158642752 items=0 ppid=5172 pid=5995 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1402050096.299:407): avc:  denied  { search } for  pid=5995 comm="httpd" name="ipa" dev="dm-1" ino=1527033 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=dir
----
time->Fri Jun  6 06:21:36 2014
type=SYSCALL msg=audit(1402050096.299:408): arch=c000003e syscall=6 success=no exit=-13 a0=7fd163cbc8c0 a1=7fff1058a1a0 a2=7fff1058a1a0 a3=0 items=0 ppid=5172 pid=5995 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1402050096.299:408): avc:  denied  { getattr } for  pid=5995 comm="httpd" path="/var/lib/ipa" dev="dm-1" ino=1527033 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=dir


I got no AVC in permissive mode even when I disabled noaudit with
# semodule -DB
Comment 6 Miroslav Grepl 2014-06-06 12:19:58 UTC 
I see we have

httpd_manage_ipa 

boolean. Probably it should be a part of this boolean. Or do we want to allow it by default?
Comment 7 Martin Kosek 2014-06-09 07:19:42 UTC 
I am personally OK with both options, we turn on httpd_manage_ipa during FreeIPA installation. It depends what is the semantics of this sebool.

Given the man page description of the sebool

"If you want to allow httpd processes to manage IPA content, you must turn on the httpd_manage_ipa boolean."

I would say yes - it should be part of the boolean.
Comment 8 Martin Kosek 2014-07-02 10:17:35 UTC 
This issue is still present also in Fedora 20, I will clone the bug.
Comment 10 Lukas Vrabec 2014-07-02 12:35:01 UTC 
Link for selinux-policy package with fix:
http://koji.fedoraproject.org/koji/buildinfo?buildID=541542
Comment 11 Petr Viktorin (pviktori) 2014-07-04 17:02:57 UTC 
Spec fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/5434851efd394c27ab6445a4b7544767452e20a5
Comment 12 Martin Kosek 2014-07-04 18:01:29 UTC 
Restoring the state back to ASSIGNED - Petr did not notice this is a selinux-policy bug, not ipa one.
Comment 13 Miroslav Grepl 2014-07-14 09:04:43 UTC 
commit 0293b601ec803a1e2b6ec1b8c1e6e40950bafa78
Author: Miroslav Grepl <mgrepl>
Date:   Wed Jul 2 12:53:45 2014 +0200

    Allow apache to search ipa lib files by default
Comment 18 errata-xmlrpc 2015-03-05 10:39:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html