1155329 – SELinux is preventing named from create access on the file DNS_25 (during FreeIPA deployment via rolekit, F21 Beta TC4)

Bug 1155329 - SELinux is preventing named from create access on the file DNS_25 (during FreeIPA deployment via rolekit, F21 Beta TC4)

Summary: SELinux is preventing named from create access on the file DNS_25 (during Fre...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	21
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:	AcceptedBlocker
Depends On:
Blocks:	F21BetaBlocker
TreeView+	depends on / blocked

Reported:	2014-10-21 21:39 UTC by Adam Williamson
Modified:	2014-10-28 21:49 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-3.13.1-90.fc21
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-10-28 21:49:46 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1155301	0	unspecified	CLOSED	SELinux denies certmonger dbus requests during FreeIPA deployment with rolekit	2021-02-22 00:41:40 UTC
Red Hat Bugzilla	1155304	0	unspecified	CLOSED	SELinux is preventing httpd from read access on the key Unknown (during FreeIPA deployment via rolekit, F21 Beta TC4)	2021-02-22 00:41:40 UTC

Internal Links: 1155301 1155304

Description Adam Williamson 2014-10-21 21:39:30 UTC

This is another SELinux denial encountered when deploying FreeIPA via rolekit in Fedora 21 Beta TC4, following https://fedorahosted.org/rolekit/wiki/DomainController .

SELinux is preventing named from create access on the file DNS_25.
 
*****  Plugin catchall (100. confidence) suggests   **************************
 
If you believe that named should be allowed create access on the DNS_25 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep named /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
 
 
Additional Information:
Source Context                system_u:system_r:named_t:s0
Target Context                system_u:object_r:krb5_host_rcache_t:s0
Target Objects                DNS_25 [ file ]
Source                        named
Source Path                   named
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages          
Target RPM Packages          
Policy RPM                    selinux-policy-3.13.1-85.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     ipa001.domain.local
Platform                      Linux ipa001.domain.local 3.17.0-301.fc21.x86_64
                              #1 SMP Wed Oct 8 20:10:50 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-10-21 13:34:50 PDT
Last Seen                     2014-10-21 13:34:50 PDT
Local ID                      d6fce4df-a924-47d1-994f-57d618e54c80
 
Raw Audit Messages
type=AVC msg=audit(1413923690.828:576): avc:  denied  { create } for  pid=6344 comm="named" name="DNS_25" scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file permissive=1
 
 
Hash: named,named_t,krb5_host_rcache_t,file,create

there is a corresponding denial for { open }:

SELinux is preventing named from open access on the file /var/tmp/DNS_25.
 
*****  Plugin catchall (100. confidence) suggests   **************************
 
If you believe that named should be allowed open access on the DNS_25 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep named /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
 
 
Additional Information:
Source Context                system_u:system_r:named_t:s0
Target Context                system_u:object_r:krb5_host_rcache_t:s0
Target Objects                /var/tmp/DNS_25 [ file ]
Source                        named
Source Path                   named
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages          
Target RPM Packages          
Policy RPM                    selinux-policy-3.13.1-85.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     ipa001.domain.local
Platform                      Linux ipa001.domain.local 3.17.0-301.fc21.x86_64
                              #1 SMP Wed Oct 8 20:10:50 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-10-21 13:34:50 PDT
Last Seen                     2014-10-21 13:34:50 PDT
Local ID                      a17f4b50-0a77-4be7-aa2f-5dc1c91524f2
 
Raw Audit Messages
type=AVC msg=audit(1413923690.829:577): avc:  denied  { open } for  pid=6344 comm="named" path="/var/tmp/DNS_25" dev="dm-2" ino=271063 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file permissive=1
 
 
Hash: named,named_t,krb5_host_rcache_t,file,open

This denial occurs very close in time to the one from #1155304, and the relevant journal snippet is about the same:

Oct 21 13:34:45 ipa001.domain.local roled[3817]: 2014-10-21 13:34:45 ERROR: ipa         : DEBUG    args='/usr/sbin/ipa-client-install' '--on-master' '--unattended' '--domain' 'domain.local' '--server' 'ipa001.domain.local' '--realm' 'DOMAIN.LOCAL' '--hostname' 'ipa001.domain.local'
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00000000 utils.c:87:GetDaemonPid() Can't open /var/run/pcscd/pcscd.pid: No such file or directory
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00027921 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00003571 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00003844 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00003981 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00057417 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00003654 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00005025 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00006426 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00004724 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00004551 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00005456 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00004838 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:49 ipa001.domain.local httpd[6377]: GSSAPI client step 1
Oct 21 13:34:49 ipa001.domain.local httpd[6377]: GSSAPI client step 1
Oct 21 13:34:49 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 1
Oct 21 13:34:49 ipa001.domain.local httpd[6377]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 2
Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 2
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 3
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 01913391 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00007573 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00006100 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00005847 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00005779 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local httpd[6376]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local httpd[6376]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 1
Oct 21 13:34:50 ipa001.domain.local httpd[6376]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 2
Oct 21 13:34:50 ipa001.domain.local httpd[6376]: GSSAPI client step 2
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 3
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00081112 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00004950 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00004485 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00004236 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00004164 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 1
Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 2
Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 2
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 3
Oct 21 13:34:51 ipa001.domain.local kernel: traps: nsupdate[6430] trap stack segment ip:7f4f28fbb64f sp:7f4f246fe0d0 error:0
Oct 21 13:34:52 ipa001.domain.local abrt-hook-ccpp[6431]: Saved core dump of pid 6427 (/usr/bin/nsupdate) to /var/tmp/abrt/ccpp-2014-10-21-13:34:51-6427 (44654592 bytes)
Oct 21 13:34:53 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/tog-pegasus.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
Oct 21 13:34:53 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/man-db.service is marked executable. Please remove executable permission bits. Proceeding anyway.
Oct 21 13:34:54 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/pki-tomcatd.target is marked executable. Please remove executable permission bits. Proceeding anyway.
Oct 21 13:34:54 ipa001.domain.local abrt-server[6433]: Generating core_backtrace
Oct 21 13:34:54 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/tog-pegasus.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
Oct 21 13:34:54 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/man-db.service is marked executable. Please remove executable permission bits. Proceeding anyway.
Oct 21 13:34:54 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/pki-tomcatd.target is marked executable. Please remove executable permission bits. Proceeding anyway.
Oct 21 13:34:55 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
Oct 21 13:34:55 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/man-db.timer is marked executable. Please remove executable permission bits. Proceeding anyway.
Oct 21 13:34:55 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/man-db.service is marked executable. Please remove executable permission bits. Proceeding anyway.
Oct 21 13:34:55 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/pki-tomcatd.target is marked executable. Please remove executable permission bits. Proceeding anyway.
Oct 21 13:34:55 ipa001.domain.local systemd[1]: Configuration file /lib/systemd/system/pki-tomcatd@.service is marked executable. Please remove executable permission bits. Proceeding anyway.
Oct 21 13:34:55 ipa001.domain.local systemd[1]: Failed to reset devices.list on /system.slice: Invalid argument
Oct 21 13:34:55 ipa001.domain.local sssd[6521]: Starting up

I'm not sure of the exact consequences of this denial: I hit it in Permissive mode, and can't test in Enforcing because the deployment will fail earlier due to #1155301 . Nominating as a Beta blocker on the possibility that it may cause deployment to fail:

"Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully started, stopped, brought to a working configuration, and queried."

https://fedoraproject.org/wiki/Fedora_21_Beta_Release_Criteria#Roles

Comment 1 Adam Williamson 2014-10-22 17:33:47 UTC

Discussed at 2014-10-22 blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2014-10-22/f21-blocker-review.2014-10-22-16.03.log.txt . Accepted as a blocker per cited criterion - though it's hard to be sure if this actually prevents deployment since there are other selinux bugs 'in front' of it. We can re-vote if those are fixed and it turns out this one is only trivial.

Comment 2 Miroslav Grepl 2014-10-22 18:10:34 UTC

commit 21ad46cb843b032a756abd464ea7de1126f1e8f1
Author: Miroslav Grepl <mgrepl>
Date:   Wed Oct 22 20:09:24 2014 +0200

    Allow named to read /var/tmp/DNS_25 labeled as krb5_host_rcache_t.

Comment 3 Fedora Update System 2014-10-22 22:01:29 UTC

selinux-policy-3.13.1-90.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/FEDORA-2014-13454/selinux-policy-3.13.1-90.fc21

Comment 4 Fedora Update System 2014-10-23 16:20:50 UTC

Package selinux-policy-3.13.1-90.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-90.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-13454/selinux-policy-3.13.1-90.fc21
then log in and leave karma (feedback).

Comment 5 Adam Williamson 2014-10-27 18:15:50 UTC

sgallagh reported success in verifying the fix with Beta RC1: marking as VERIFIED.

Comment 6 Fedora Update System 2014-10-28 21:49:46 UTC

selinux-policy-3.13.1-90.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.