1155301 – SELinux denies certmonger dbus requests during FreeIPA deployment with rolekit

Bug 1155301 - SELinux denies certmonger dbus requests during FreeIPA deployment with rolekit

Summary: SELinux denies certmonger dbus requests during FreeIPA deployment with rolekit

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	21
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:	AcceptedBlocker
Duplicates (1):	1155304 (view as bug list)
Depends On:
Blocks:	F21BetaBlocker
TreeView+	depends on / blocked

Reported:	2014-10-21 21:01 UTC by Adam Williamson
Modified:	2014-10-28 21:49 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-3.13.1-90.fc21
Clone Of:
Environment:
Last Closed:	2014-10-28 21:49:43 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1155304	0	unspecified	CLOSED	SELinux is preventing httpd from read access on the key Unknown (during FreeIPA deployment via rolekit, F21 Beta TC4)	2021-02-22 00:41:40 UTC
Red Hat Bugzilla	1155329	0	unspecified	CLOSED	SELinux is preventing named from create access on the file DNS_25 (during FreeIPA deployment via rolekit, F21 Beta TC4)	2021-02-22 00:41:40 UTC

Internal Links: 1155304 1155329

Description Adam Williamson 2014-10-21 21:01:03 UTC

Testing deployment of FreeIPA via Rolekit in Fedora 21 Beta TC4.

To reproduce, install Beta TC4 from Server DVD and follow https://fedorahosted.org/rolekit/wiki/DomainController .

In /var/log/audit/audit.log I see these denials:

type=USER_AVC msg=audit(1413923153.653:461): pid=731 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.23 spid=3366 tpid=1876 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1413923178.251:462): pid=731 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.23 spid=3366 tpid=1876 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Getting the time stamps with ausearch, they coincide with this block in the journal. The first denial coincides with the last *successful* action (enabling of certmonger.service) which occurs before this block is shown, and the second denial occurs at the same time as this output block appears.

Oct 21 13:26:18 ipa001.domain.local roled[1265]: 2014-10-21 13:26:18 ERROR: ERROR:dbus.proxies:Introspect error on :1.22:/org/fedorahosted/certmonger: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR: ipa         : DEBUG      File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 639, in run_script
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:     return_value = main_function()
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:   File "/usr/sbin/ipa-server-install", line 1095, in main
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:     dm_password, subject_base=options.subject)
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:   File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 484, in configure_instance
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:     self.start_creation(runtime=210)
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 367, in start_creation
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:     method()
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:   File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1439, in configure_certmonger_renewal
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:     path = iface.find_ca_by_nickname('dogtag-ipa-ca-renew-agent')
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:   File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 70, in __call__
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:     return self._proxy_method(*args, **keywords)
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:   File "/usr/lib/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:     **keywords)
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:   File "/usr/lib/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:     message, timeout)
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR:
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR: ipa         : DEBUG    The ipa-server-install command failed, exception: DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR: Unexpected error - see /var/log/ipaserver-install.log for details:
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR: DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
Oct 21 13:26:43 ipa001.domain.local roled[1265]: 2014-10-21 13:26:43 ERROR: <class 'rolekit.errors.RolekitError'>: COMMAND_FAILED: 256

As this causes FreeIPA deployment to fail, nominating as a Beta blocker bug per criterion:

"Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully started, stopped, brought to a working configuration, and queried."

https://fedoraproject.org/wiki/Fedora_21_Beta_Release_Criteria#Roles

Comment 1 Miroslav Grepl 2014-10-22 14:58:52 UTC

*** Bug 1155304 has been marked as a duplicate of this bug. ***

Comment 2 Miroslav Grepl 2014-10-22 14:59:29 UTC

We need to get roled policy from another bug to F21.

Comment 3 Adam Williamson 2014-10-22 17:25:56 UTC

Discussed at 2014-10-22 blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2014-10-22/f21-blocker-review.2014-10-22-16.03.log.txt . Accepted as a blocker per criterion cited in description.

Comment 4 Fedora Update System 2014-10-22 22:01:27 UTC

selinux-policy-3.13.1-90.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/FEDORA-2014-13454/selinux-policy-3.13.1-90.fc21

Comment 5 Fedora Update System 2014-10-23 16:20:48 UTC

Package selinux-policy-3.13.1-90.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-90.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-13454/selinux-policy-3.13.1-90.fc21
then log in and leave karma (feedback).

Comment 6 Adam Williamson 2014-10-27 18:15:55 UTC

sgallagh reported success in verifying the fix with Beta RC1: marking as VERIFIED.

Comment 7 Fedora Update System 2014-10-28 21:49:43 UTC

selinux-policy-3.13.1-90.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.