Bug 1227542 - [SELinux] AVC denials may appear when kadmind starts
Summary: [SELinux] AVC denials may appear when kadmind starts
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: krb5
Version: rawhide
Hardware: All
OS: All
high
high
Target Milestone: ---
Assignee: Roland Mainz
QA Contact: Patrik Kis
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-06-03 00:55 UTC by Roland Mainz
Modified: 2015-09-08 17:27 UTC (History)
10 users (show)

Fixed In Version: krb5-1.13.2-3.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of: 1222903
Environment:
Last Closed: 2015-06-21 00:18:42 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Roland Mainz 2015-06-03 00:55:55 UTC
+++ This bug was initially created as a clone of Bug #1222903 +++

Description of problem:
After krb5 rebase to krb5-1.13.2-1.el7 when kadmind starts AVC denials appear from time to time:

type=SYSCALL msg=audit(05/19/2015 12:19:54.682:663) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0xe a1=0x7fff04eac580 a2=0x1c a3=0x7fff04eac510 items=0 ppid=10156 pid=10159 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=22 comm=kadmind exe=/usr/sbin/kadmind subj=system_u:system_r:kadmind_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/19/2015 12:19:54.682:663) : avc:  denied  { name_bind } for  pid=10159 comm=kadmind src=61443 scontext=system_u:system_r:kadmind_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 


Version-Release number of selected component (if applicable):
krb5-1.13.2-1.el7
but krb5-1.13.1-1.el7 too

How reproducible:
AVCs appears in about every 2nd start

Steps to Reproduce:
1. Just start kadmind and check AVCs

strace revealed some details about the bids that causes the AVCs:

# date
Tue May 19 13:49:08 CEST 2015
# strace runcon -u system_u -r system_r -t kadmind_t /usr/sbin/kadmind |& grep -e socket -e bind
socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3
socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3
socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3
socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3
socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3
socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 5
socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 5
socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 5
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 9
bind(9, {sa_family=AF_INET, sin_port=htons(464), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 10
bind(10, {sa_family=AF_INET6, sin6_port=htons(464), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) = 11
socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) = 11
bind(11, {sa_family=AF_INET6, sin6_port=htons(464), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 12
bind(12, {sa_family=AF_INET, sin_port=htons(464), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 13
bind(13, {sa_family=AF_INET, sin_port=htons(749), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
bind(13, {sa_family=AF_INET, sin_port=htons(30722), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(13, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EINVAL (Invalid argument)
socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) = 14
bind(14, {sa_family=AF_INET6, sin6_port=htons(749), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
bind(14, {sa_family=AF_INET6, sin6_port=htons(30978), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)
bind(14, {sa_family=AF_INET6, sin6_port=htons(0), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EINVAL (Invalid argument)
#
# ausearch -i -m avc -ts 13:49:08
----
type=SYSCALL msg=audit(05/19/2015 13:49:11.387:762) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0xd a1=0x7fff266ecc10 a2=0x10 a3=0x7fff266ec8b0 items=0 ppid=876 pid=880 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=22 comm=kadmind exe=/usr/sbin/kadmind subj=system_u:system_r:kadmind_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/19/2015 13:49:11.387:762) : avc:  denied  { name_bind } for  pid=880 comm=kadmind src=30722 scontext=system_u:system_r:kadmind_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 
----
type=SYSCALL msg=audit(05/19/2015 13:49:11.388:763) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0xe a1=0x7fff266ecc10 a2=0x1c a3=0x7fff266ecba0 items=0 ppid=876 pid=880 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=22 comm=kadmind exe=/usr/sbin/kadmind subj=system_u:system_r:kadmind_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/19/2015 13:49:11.388:763) : avc:  denied  { name_bind } for  pid=880 comm=kadmind src=30978 scontext=system_u:system_r:kadmind_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 
#

In this case the AVCs were caused by bind attempt to ports: 30722 and 30978
Which fall into "unreserved_port_t":
# semanage port -l |grep unreserved_port_t
unreserved_port_t              tcp      1024-32767, 61001-65535
unreserved_port_t              udp      1024-32767, 61001-65535

It looks like kadmind somehow rotate the port numbers, what explains why there is AVC denial only from time to time:

# for i in `seq 0 10`; do killall kadmind; strace runcon -u system_u -r system_r -t kadmind_t /usr/sbin/kadmind |& grep bind |grep -ve 'htons(464)' -e 'htons(749)' -e 'htons(0)';sleep 1; done
bind(13, {sa_family=AF_INET, sin_port=htons(55042), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EINVAL (Invalid argument)
bind(14, {sa_family=AF_INET6, sin6_port=htons(55298), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EINVAL (Invalid argument)
bind(13, {sa_family=AF_INET, sin_port=htons(58370), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EINVAL (Invalid argument)
bind(14, {sa_family=AF_INET6, sin6_port=htons(58626), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EINVAL (Invalid argument)
bind(13, {sa_family=AF_INET, sin_port=htons(62722), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(14, {sa_family=AF_INET6, sin6_port=htons(62978), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)
bind(13, {sa_family=AF_INET, sin_port=htons(515), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(14, {sa_family=AF_INET6, sin6_port=htons(771), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)
bind(13, {sa_family=AF_INET, sin_port=htons(3843), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(14, {sa_family=AF_INET6, sin6_port=htons(4099), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)
bind(13, {sa_family=AF_INET, sin_port=htons(7171), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(14, {sa_family=AF_INET6, sin6_port=htons(7427), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)
bind(13, {sa_family=AF_INET, sin_port=htons(10499), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(14, {sa_family=AF_INET6, sin6_port=htons(10755), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)
bind(13, {sa_family=AF_INET, sin_port=htons(14851), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(14, {sa_family=AF_INET6, sin6_port=htons(15107), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)
bind(13, {sa_family=AF_INET, sin_port=htons(18179), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(14, {sa_family=AF_INET6, sin6_port=htons(18435), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)
bind(13, {sa_family=AF_INET, sin_port=htons(21507), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(14, {sa_family=AF_INET6, sin6_port=htons(21763), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)
bind(13, {sa_family=AF_INET, sin_port=htons(24835), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(14, {sa_family=AF_INET6, sin6_port=htons(25091), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)


The previous version where the AVCs have newer appeared (krb5-1.12.2-14.el7), tries a similar bind but with narrower range of ports:

# rpm -q krb5-libs
krb5-libs-1.12.2-14.el7.x86_64
# for i in `seq 0 10`; do killall kadmind; strace runcon -u system_u -r system_r -t kadmind_t /usr/sbin/kadmind |& grep bind |grep -ve 'htons(464)' -e 'htons(749)' -e 'htons(0)';sleep 1; done
bind(10, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
bind(14, {sa_family=AF_INET, sin_port=htons(1005), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(15, {sa_family=AF_INET, sin_port=htons(1006), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(10, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
bind(14, {sa_family=AF_INET, sin_port=htons(1022), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(15, {sa_family=AF_INET, sin_port=htons(1023), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(10, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
bind(14, {sa_family=AF_INET, sin_port=htons(611), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(15, {sa_family=AF_INET, sin_port=htons(612), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(10, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
bind(14, {sa_family=AF_INET, sin_port=htons(624), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
bind(15, {sa_family=AF_INET, sin_port=htons(625), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
 ... snip

for which it looks like there is a dontaudit selinux policy, therefore no AVCs appear:

# sesearch -D -C -s kadmind_t -t kerberos_password_port_t -c tcp_socket |grep name_bind 
   dontaudit kadmind_t reserved_port_type : tcp_socket name_bind ; 
DT dontaudit kadmind_t defined_port_type : tcp_socket name_bind ; [ nis_enabled ]
DT dontaudit kadmind_t port_type : tcp_socket name_bind ; [ nis_enabled ]


The question is what are these bind attempts (I guess there are good reason for them) and why the range of port changed. If the change is expected I think the bug sould be forwarded to selinux-policy to add a policy for this case. But I think, first it should be checked if the change is not a regression in krb5 component.

--- Additional comment from Patrik Kis on 2015-05-19 08:25:10 EDT ---

IMO this is a regression, that will not cause problems with system operation, but there will annoying AVC denials. Customers will definitely notice it.

Add blocker for bug 1203889, which introduced this regression.

--- Additional comment from Roland Mainz on 2015-05-19 09:07:16 EDT ---

Mine... all Mine...
... taking bug myself...

... question:
pkis: Shouldn't this be fixed in the SELinux config somehow ?

--- Additional comment from Patrik Kis on 2015-05-19 10:13:13 EDT ---

(In reply to Roland Mainz from comment #3)
> Mine... all Mine...
> ... taking bug myself...
> 
> ... question:
> pkis: Shouldn't this be fixed in the SELinux config somehow ?

If the change in krb5 was intentional and these bind attempts are needed, then it should be fixed in selinux-policy.

--- Additional comment from Roland Mainz on 2015-05-19 15:41:21 EDT ---

(In reply to Patrik Kis from comment #4)
> (In reply to Roland Mainz from comment #3)
> > Mine... all Mine...
> > ... taking bug myself...
> > 
> > ... question:
> > pkis: Shouldn't this be fixed in the SELinux config somehow ?
> 
> If the change in krb5 was intentional and these bind attempts are needed,
> then it should be fixed in selinux-policy.

OK... I've discussed the issue with upstream:
There are two things going on here:
1. kadmind needs to create an RPC listener socket, but on a fixed port, which is not the way the RPC library usually thinks.
Apparently |svctcp_create()| unconditionally calls |bindresvport_sa()|, which just fails with |EINVAL| because the socket is already bound.  This is... erm... unelegant... but harmless except for triggering SELinux's security checks.

2. The krb5 1.13 release added a bug in |bindresvport_sa()| which caused the wrong port numbers to be tried.
That's why the range of ports tried changes from krb5 1.12 to krb5 1.13.

Upstream will try to tackle [2] above, but [1] is definitely in SELinux's territory.

--- Additional comment from Patrik Kis on 2015-05-22 04:18:48 EDT ---

(In reply to Roland Mainz from comment #5)
> (In reply to Patrik Kis from comment #4)
> > (In reply to Roland Mainz from comment #3)
> > > Mine... all Mine...
> > > ... taking bug myself...
> > > 
> > > ... question:
> > > pkis: Shouldn't this be fixed in the SELinux config somehow ?
> > 
> > If the change in krb5 was intentional and these bind attempts are needed,
> > then it should be fixed in selinux-policy.
> 
> OK... I've discussed the issue with upstream:
> There are two things going on here:
> 1. kadmind needs to create an RPC listener socket, but on a fixed port,
> which is not the way the RPC library usually thinks.
> Apparently |svctcp_create()| unconditionally calls |bindresvport_sa()|,
> which just fails with |EINVAL| because the socket is already bound.  This
> is... erm... unelegant... but harmless except for triggering SELinux's
> security checks.
> 
> 2. The krb5 1.13 release added a bug in |bindresvport_sa()| which caused the
> wrong port numbers to be tried.
> That's why the range of ports tried changes from krb5 1.12 to krb5 1.13.
> 
> Upstream will try to tackle [2] above, but [1] is definitely in SELinux's
> territory.

If I understand correctly the fix in krb5 will fix it's bug and the attempted ports will move back to the original range (i.e. 1-511 or similar). If this is the case we are ok, because this is already addressed in the current selinux-policy. If the ports range will be different, please let me know, we can discuss it with selinux devels.

One more question, is there an upstream ticket for this issue? Could you link it here?

--- Additional comment from Patrik Kis on 2015-05-22 10:30:05 EDT ---

(In reply to Roland Mainz from comment #7)
> Created attachment 1028666 [details]
> Prototype patch from krb5 1.13.3 development which fixes the unneeded
> |htons()| ...

Confirm the patch; according to my tests it fixes the issue. Thanks.

Comment 1 Roland Mainz 2015-06-03 01:43:13 UTC
Patch checked in and builds are available as krb5-1.13.2-2.fc22 and krb5-1.13.2-2.fc23 ...
... marking bug as MODIFIED.

Comment 2 Fedora Update System 2015-06-15 11:09:35 UTC
krb5-1.13.2-2.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/krb5-1.13.2-2.fc22

Comment 3 Jan Pazdziora 2015-06-18 11:50:30 UTC
(In reply to Roland Mainz from comment #1)
> Patch checked in and builds are available as krb5-1.13.2-2.fc22 and
> krb5-1.13.2-2.fc23 ...
> ... marking bug as MODIFIED.

Attempts to start kadmind service during ipa-server-install leads to

  [1/2]: starting kadmin 
  [error] CalledProcessError: Command ''/bin/systemctl' 'restart' 'kadmin.service'' returned non-zero exit status 1
Unexpected error - see /var/log/ipaserver-install.log for details:
CalledProcessError: Command ''/bin/systemctl' 'restart' 'kadmin.service'' returned non-zero exit status 1

and the cause seems to be

# /usr/sbin/_kadmind
-bash: /usr/sbin/_kadmind: cannot execute binary file: Exec format error

Comment 4 Patrik Kis 2015-06-18 12:50:02 UTC
(In reply to Jan Pazdziora from comment #3)
> (In reply to Roland Mainz from comment #1)
> > Patch checked in and builds are available as krb5-1.13.2-2.fc22 and
> > krb5-1.13.2-2.fc23 ...
> > ... marking bug as MODIFIED.
> 
> Attempts to start kadmind service during ipa-server-install leads to
> 
>   [1/2]: starting kadmin 
>   [error] CalledProcessError: Command ''/bin/systemctl' 'restart'
> 'kadmin.service'' returned non-zero exit status 1
> Unexpected error - see /var/log/ipaserver-install.log for details:
> CalledProcessError: Command ''/bin/systemctl' 'restart' 'kadmin.service''
> returned non-zero exit status 1
> 
> and the cause seems to be
> 
> # /usr/sbin/_kadmind
> -bash: /usr/sbin/_kadmind: cannot execute binary file: Exec format error

This is actually a different bug 1231834.

Comment 5 Fedora Update System 2015-06-18 13:25:52 UTC
Package krb5-1.13.2-2.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing krb5-1.13.2-2.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-10087/krb5-1.13.2-2.fc22
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2015-06-19 17:17:01 UTC
krb5-1.13.2-3.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/krb5-1.13.2-3.fc22

Comment 7 Fedora Update System 2015-06-21 00:18:42 UTC
krb5-1.13.2-3.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.