1155304 – SELinux is preventing httpd from read access on the key Unknown (during FreeIPA deployment via rolekit, F21 Beta TC4)

Bug 1155304 - SELinux is preventing httpd from read access on the key Unknown (during FreeIPA deployment via rolekit, F21 Beta TC4)

Summary: SELinux is preventing httpd from read access on the key Unknown (during FreeI...

Keywords:
Status:	CLOSED DUPLICATE of bug 1155301
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	21
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	F21BetaBlocker
TreeView+	depends on / blocked

Reported:	2014-10-21 21:14 UTC by Adam Williamson
Modified:	2014-10-22 14:58 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-10-22 14:58:52 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1155301	0	unspecified	CLOSED	SELinux denies certmonger dbus requests during FreeIPA deployment with rolekit	2021-02-22 00:41:40 UTC
Red Hat Bugzilla	1155329	0	unspecified	CLOSED	SELinux is preventing named from create access on the file DNS_25 (during FreeIPA deployment via rolekit, F21 Beta TC4)	2021-02-22 00:41:40 UTC

Internal Links: 1155301 1155329

Description Adam Williamson 2014-10-21 21:14:01 UTC

This is another SELinux denial encountered when deploying FreeIPA via rolekit in Fedora 21 Beta TC4, following https://fedorahosted.org/rolekit/wiki/DomainController .

SELinux is preventing httpd from read access on the key Unknown.
 
*****  Plugin catchall (100. confidence) suggests   **************************
 
If you believe that httpd should be allowed read access on the Unknown key by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
 
 
Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:system_r:unconfined_service_t:s0
Target Objects                Unknown [ key ]
Source                        httpd
Source Path                   httpd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages          
Target RPM Packages          
Policy RPM                    selinux-policy-3.13.1-85.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     ipa001.domain.local
Platform                      Linux ipa001.domain.local 3.17.0-301.fc21.x86_64
                              #1 SMP Wed Oct 8 20:10:50 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-10-21 13:34:48 PDT
Last Seen                     2014-10-21 13:34:48 PDT
Local ID                      9c444489-fd41-4345-a831-0aedca4e1cd1
 
Raw Audit Messages
type=AVC msg=audit(1413923688.483:574): avc:  denied  { read } for  pid=6382 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=1

There is a matching denial for { write }:

SELinux is preventing httpd from write access on the key Unknown.
 
*****  Plugin catchall (100. confidence) suggests   **************************
 
If you believe that httpd should be allowed write access on the Unknown key by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
 
 
Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:system_r:unconfined_service_t:s0
Target Objects                Unknown [ key ]
Source                        httpd
Source Path                   httpd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages          
Target RPM Packages          
Policy RPM                    selinux-policy-3.13.1-85.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     ipa001.domain.local
Platform                      Linux ipa001.domain.local 3.17.0-301.fc21.x86_64
                              #1 SMP Wed Oct 8 20:10:50 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-10-21 13:34:48 PDT
Last Seen                     2014-10-21 13:34:48 PDT
Local ID                      f302b7c6-17b2-416e-9ceb-c02b53280093
 
Raw Audit Messages
type=AVC msg=audit(1413923688.508:575): avc:  denied  { write } for  pid=6382 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=1
 
 
Hash: httpd,httpd_t,unconfined_service_t,key,write

Log messages around this time:

Oct 21 13:34:45 ipa001.domain.local roled[3817]: 2014-10-21 13:34:45 ERROR: ipa         : DEBUG    args='/usr/sbin/ipa-client-install' '--on-master' '--unattended' '--domain' 'domain.local' '--server' 'ipa001.domain.local' '--realm' 'DOMAIN.LOCAL' '--hostname' 'ipa001.domain.local'
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00000000 utils.c:87:GetDaemonPid() Can't open /var/run/pcscd/pcscd.pid: No such file or directory
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00027921 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00003571 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00003844 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00003981 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00057417 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00003654 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00005025 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00006426 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00004724 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00004551 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00005456 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00004838 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:49 ipa001.domain.local httpd[6377]: GSSAPI client step 1
Oct 21 13:34:49 ipa001.domain.local httpd[6377]: GSSAPI client step 1
Oct 21 13:34:49 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 1
Oct 21 13:34:49 ipa001.domain.local httpd[6377]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 2
Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 2
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 3
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 01913391 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00007573 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00006100 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00005847 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00005779 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local httpd[6376]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local httpd[6376]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 1
Oct 21 13:34:50 ipa001.domain.local httpd[6376]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 2
Oct 21 13:34:50 ipa001.domain.local httpd[6376]: GSSAPI client step 2
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 3
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00081112 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00004950 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00004485 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00004236 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00004164 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 1
Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 2
Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 2
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 3
Oct 21 13:34:51 ipa001.domain.local kernel: traps: nsupdate[6430] trap stack segment ip:7f4f28fbb64f sp:7f4f246fe0d0 error:0
Oct 21 13:34:52 ipa001.domain.local abrt-hook-ccpp[6431]: Saved core dump of pid 6427 (/usr/bin/nsupdate) to /var/tmp/abrt/ccpp-2014-10-21-13:34:51-6427 (44654592 bytes)

I'm not sure of the exact consequences of this denial: I hit it in Permissive mode, and can't test in Enforcing because the deployment will fail earlier due to #1155301 . Nominating as a Beta blocker on the possibility that it may cause deployment to fail:

"Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully started, stopped, brought to a working configuration, and queried."

https://fedoraproject.org/wiki/Fedora_21_Beta_Release_Criteria#Roles

Comment 1 Miroslav Grepl 2014-10-22 14:58:52 UTC


*** This bug has been marked as a duplicate of bug 1155301 ***

Note You need to log in before you can comment on or make changes to this bug.