+++ This bug was initially created as a clone of Bug #1222903 +++ Description of problem: After krb5 rebase to krb5-1.13.2-1.el7 when kadmind starts AVC denials appear from time to time: type=SYSCALL msg=audit(05/19/2015 12:19:54.682:663) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0xe a1=0x7fff04eac580 a2=0x1c a3=0x7fff04eac510 items=0 ppid=10156 pid=10159 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=22 comm=kadmind exe=/usr/sbin/kadmind subj=system_u:system_r:kadmind_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(05/19/2015 12:19:54.682:663) : avc: denied { name_bind } for pid=10159 comm=kadmind src=61443 scontext=system_u:system_r:kadmind_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket Version-Release number of selected component (if applicable): krb5-1.13.2-1.el7 but krb5-1.13.1-1.el7 too How reproducible: AVCs appears in about every 2nd start Steps to Reproduce: 1. Just start kadmind and check AVCs strace revealed some details about the bids that causes the AVCs: # date Tue May 19 13:49:08 CEST 2015 # strace runcon -u system_u -r system_r -t kadmind_t /usr/sbin/kadmind |& grep -e socket -e bind socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3 socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3 socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3 socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3 socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3 socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 5 socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 5 socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 5 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 9 bind(9, {sa_family=AF_INET, sin_port=htons(464), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 10 bind(10, {sa_family=AF_INET6, sin6_port=htons(464), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0 socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) = 11 socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) = 11 bind(11, {sa_family=AF_INET6, sin6_port=htons(464), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 12 bind(12, {sa_family=AF_INET, sin_port=htons(464), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 13 bind(13, {sa_family=AF_INET, sin_port=htons(749), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 bind(13, {sa_family=AF_INET, sin_port=htons(30722), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied) bind(13, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EINVAL (Invalid argument) socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) = 14 bind(14, {sa_family=AF_INET6, sin6_port=htons(749), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0 bind(14, {sa_family=AF_INET6, sin6_port=htons(30978), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied) bind(14, {sa_family=AF_INET6, sin6_port=htons(0), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EINVAL (Invalid argument) # # ausearch -i -m avc -ts 13:49:08 ---- type=SYSCALL msg=audit(05/19/2015 13:49:11.387:762) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0xd a1=0x7fff266ecc10 a2=0x10 a3=0x7fff266ec8b0 items=0 ppid=876 pid=880 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=22 comm=kadmind exe=/usr/sbin/kadmind subj=system_u:system_r:kadmind_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(05/19/2015 13:49:11.387:762) : avc: denied { name_bind } for pid=880 comm=kadmind src=30722 scontext=system_u:system_r:kadmind_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket ---- type=SYSCALL msg=audit(05/19/2015 13:49:11.388:763) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0xe a1=0x7fff266ecc10 a2=0x1c a3=0x7fff266ecba0 items=0 ppid=876 pid=880 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=22 comm=kadmind exe=/usr/sbin/kadmind subj=system_u:system_r:kadmind_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(05/19/2015 13:49:11.388:763) : avc: denied { name_bind } for pid=880 comm=kadmind src=30978 scontext=system_u:system_r:kadmind_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket # In this case the AVCs were caused by bind attempt to ports: 30722 and 30978 Which fall into "unreserved_port_t": # semanage port -l |grep unreserved_port_t unreserved_port_t tcp 1024-32767, 61001-65535 unreserved_port_t udp 1024-32767, 61001-65535 It looks like kadmind somehow rotate the port numbers, what explains why there is AVC denial only from time to time: # for i in `seq 0 10`; do killall kadmind; strace runcon -u system_u -r system_r -t kadmind_t /usr/sbin/kadmind |& grep bind |grep -ve 'htons(464)' -e 'htons(749)' -e 'htons(0)';sleep 1; done bind(13, {sa_family=AF_INET, sin_port=htons(55042), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EINVAL (Invalid argument) bind(14, {sa_family=AF_INET6, sin6_port=htons(55298), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EINVAL (Invalid argument) bind(13, {sa_family=AF_INET, sin_port=htons(58370), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EINVAL (Invalid argument) bind(14, {sa_family=AF_INET6, sin6_port=htons(58626), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EINVAL (Invalid argument) bind(13, {sa_family=AF_INET, sin_port=htons(62722), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied) bind(14, {sa_family=AF_INET6, sin6_port=htons(62978), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied) bind(13, {sa_family=AF_INET, sin_port=htons(515), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied) bind(14, {sa_family=AF_INET6, sin6_port=htons(771), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied) bind(13, {sa_family=AF_INET, sin_port=htons(3843), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied) bind(14, {sa_family=AF_INET6, sin6_port=htons(4099), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied) bind(13, {sa_family=AF_INET, sin_port=htons(7171), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied) bind(14, {sa_family=AF_INET6, sin6_port=htons(7427), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied) bind(13, {sa_family=AF_INET, sin_port=htons(10499), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied) bind(14, {sa_family=AF_INET6, sin6_port=htons(10755), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied) bind(13, {sa_family=AF_INET, sin_port=htons(14851), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied) bind(14, {sa_family=AF_INET6, sin6_port=htons(15107), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied) bind(13, {sa_family=AF_INET, sin_port=htons(18179), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied) bind(14, {sa_family=AF_INET6, sin6_port=htons(18435), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied) bind(13, {sa_family=AF_INET, sin_port=htons(21507), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied) bind(14, {sa_family=AF_INET6, sin6_port=htons(21763), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied) bind(13, {sa_family=AF_INET, sin_port=htons(24835), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied) bind(14, {sa_family=AF_INET6, sin6_port=htons(25091), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied) The previous version where the AVCs have newer appeared (krb5-1.12.2-14.el7), tries a similar bind but with narrower range of ports: # rpm -q krb5-libs krb5-libs-1.12.2-14.el7.x86_64 # for i in `seq 0 10`; do killall kadmind; strace runcon -u system_u -r system_r -t kadmind_t /usr/sbin/kadmind |& grep bind |grep -ve 'htons(464)' -e 'htons(749)' -e 'htons(0)';sleep 1; done bind(10, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0 bind(14, {sa_family=AF_INET, sin_port=htons(1005), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied) bind(15, {sa_family=AF_INET, sin_port=htons(1006), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied) bind(10, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0 bind(14, {sa_family=AF_INET, sin_port=htons(1022), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied) bind(15, {sa_family=AF_INET, sin_port=htons(1023), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied) bind(10, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0 bind(14, {sa_family=AF_INET, sin_port=htons(611), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied) bind(15, {sa_family=AF_INET, sin_port=htons(612), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied) bind(10, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0 bind(14, {sa_family=AF_INET, sin_port=htons(624), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied) bind(15, {sa_family=AF_INET, sin_port=htons(625), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied) ... snip for which it looks like there is a dontaudit selinux policy, therefore no AVCs appear: # sesearch -D -C -s kadmind_t -t kerberos_password_port_t -c tcp_socket |grep name_bind dontaudit kadmind_t reserved_port_type : tcp_socket name_bind ; DT dontaudit kadmind_t defined_port_type : tcp_socket name_bind ; [ nis_enabled ] DT dontaudit kadmind_t port_type : tcp_socket name_bind ; [ nis_enabled ] The question is what are these bind attempts (I guess there are good reason for them) and why the range of port changed. If the change is expected I think the bug sould be forwarded to selinux-policy to add a policy for this case. But I think, first it should be checked if the change is not a regression in krb5 component. --- Additional comment from Patrik Kis on 2015-05-19 08:25:10 EDT --- IMO this is a regression, that will not cause problems with system operation, but there will annoying AVC denials. Customers will definitely notice it. Add blocker for bug 1203889, which introduced this regression. --- Additional comment from Roland Mainz on 2015-05-19 09:07:16 EDT --- Mine... all Mine... ... taking bug myself... ... question: pkis: Shouldn't this be fixed in the SELinux config somehow ? --- Additional comment from Patrik Kis on 2015-05-19 10:13:13 EDT --- (In reply to Roland Mainz from comment #3) > Mine... all Mine... > ... taking bug myself... > > ... question: > pkis: Shouldn't this be fixed in the SELinux config somehow ? If the change in krb5 was intentional and these bind attempts are needed, then it should be fixed in selinux-policy. --- Additional comment from Roland Mainz on 2015-05-19 15:41:21 EDT --- (In reply to Patrik Kis from comment #4) > (In reply to Roland Mainz from comment #3) > > Mine... all Mine... > > ... taking bug myself... > > > > ... question: > > pkis: Shouldn't this be fixed in the SELinux config somehow ? > > If the change in krb5 was intentional and these bind attempts are needed, > then it should be fixed in selinux-policy. OK... I've discussed the issue with upstream: There are two things going on here: 1. kadmind needs to create an RPC listener socket, but on a fixed port, which is not the way the RPC library usually thinks. Apparently |svctcp_create()| unconditionally calls |bindresvport_sa()|, which just fails with |EINVAL| because the socket is already bound. This is... erm... unelegant... but harmless except for triggering SELinux's security checks. 2. The krb5 1.13 release added a bug in |bindresvport_sa()| which caused the wrong port numbers to be tried. That's why the range of ports tried changes from krb5 1.12 to krb5 1.13. Upstream will try to tackle [2] above, but [1] is definitely in SELinux's territory. --- Additional comment from Patrik Kis on 2015-05-22 04:18:48 EDT --- (In reply to Roland Mainz from comment #5) > (In reply to Patrik Kis from comment #4) > > (In reply to Roland Mainz from comment #3) > > > Mine... all Mine... > > > ... taking bug myself... > > > > > > ... question: > > > pkis: Shouldn't this be fixed in the SELinux config somehow ? > > > > If the change in krb5 was intentional and these bind attempts are needed, > > then it should be fixed in selinux-policy. > > OK... I've discussed the issue with upstream: > There are two things going on here: > 1. kadmind needs to create an RPC listener socket, but on a fixed port, > which is not the way the RPC library usually thinks. > Apparently |svctcp_create()| unconditionally calls |bindresvport_sa()|, > which just fails with |EINVAL| because the socket is already bound. This > is... erm... unelegant... but harmless except for triggering SELinux's > security checks. > > 2. The krb5 1.13 release added a bug in |bindresvport_sa()| which caused the > wrong port numbers to be tried. > That's why the range of ports tried changes from krb5 1.12 to krb5 1.13. > > Upstream will try to tackle [2] above, but [1] is definitely in SELinux's > territory. If I understand correctly the fix in krb5 will fix it's bug and the attempted ports will move back to the original range (i.e. 1-511 or similar). If this is the case we are ok, because this is already addressed in the current selinux-policy. If the ports range will be different, please let me know, we can discuss it with selinux devels. One more question, is there an upstream ticket for this issue? Could you link it here? --- Additional comment from Patrik Kis on 2015-05-22 10:30:05 EDT --- (In reply to Roland Mainz from comment #7) > Created attachment 1028666 [details] > Prototype patch from krb5 1.13.3 development which fixes the unneeded > |htons()| ... Confirm the patch; according to my tests it fixes the issue. Thanks.
Patch checked in and builds are available as krb5-1.13.2-2.fc22 and krb5-1.13.2-2.fc23 ... ... marking bug as MODIFIED.
krb5-1.13.2-2.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/krb5-1.13.2-2.fc22
(In reply to Roland Mainz from comment #1) > Patch checked in and builds are available as krb5-1.13.2-2.fc22 and > krb5-1.13.2-2.fc23 ... > ... marking bug as MODIFIED. Attempts to start kadmind service during ipa-server-install leads to [1/2]: starting kadmin [error] CalledProcessError: Command ''/bin/systemctl' 'restart' 'kadmin.service'' returned non-zero exit status 1 Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command ''/bin/systemctl' 'restart' 'kadmin.service'' returned non-zero exit status 1 and the cause seems to be # /usr/sbin/_kadmind -bash: /usr/sbin/_kadmind: cannot execute binary file: Exec format error
(In reply to Jan Pazdziora from comment #3) > (In reply to Roland Mainz from comment #1) > > Patch checked in and builds are available as krb5-1.13.2-2.fc22 and > > krb5-1.13.2-2.fc23 ... > > ... marking bug as MODIFIED. > > Attempts to start kadmind service during ipa-server-install leads to > > [1/2]: starting kadmin > [error] CalledProcessError: Command ''/bin/systemctl' 'restart' > 'kadmin.service'' returned non-zero exit status 1 > Unexpected error - see /var/log/ipaserver-install.log for details: > CalledProcessError: Command ''/bin/systemctl' 'restart' 'kadmin.service'' > returned non-zero exit status 1 > > and the cause seems to be > > # /usr/sbin/_kadmind > -bash: /usr/sbin/_kadmind: cannot execute binary file: Exec format error This is actually a different bug 1231834.
Package krb5-1.13.2-2.fc22: * should fix your issue, * was pushed to the Fedora 22 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing krb5-1.13.2-2.fc22' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-10087/krb5-1.13.2-2.fc22 then log in and leave karma (feedback).
krb5-1.13.2-3.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/krb5-1.13.2-3.fc22
krb5-1.13.2-3.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.