RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1238163 - Add SELinux policy for IPA to allow calling out oddjobd-activated services
Summary: Add SELinux policy for IPA to allow calling out oddjobd-activated services
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.2
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Stefan Kremen
URL:
Whiteboard:
Depends On:
Blocks: 1242914
TreeView+ depends on / blocked
 
Reported: 2015-07-01 10:27 UTC by Alexander Bokovoy
Modified: 2015-11-19 10:38 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-32.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1238165 (view as bug list)
Environment:
Last Closed: 2015-11-19 10:38:39 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2300 0 normal SHIPPED_LIVE selinux-policy bug fix update 2015-11-19 09:55:26 UTC

Description Alexander Bokovoy 2015-07-01 10:27:00 UTC 
(this is the original message explaining design and use case, mgrepl@ already has policy in works)

I'm implementing a feature in FreeIPA for which I'll need new SELinux
policy and I'd like to hear your suggestions how to design it.

Sorry in advance for long prelude, it needs to be said to establish the
context.

For FreeIPA 4.2 we are adding support to establish one-way trust to
Active Directory. As a consequence of this, we need to change how
certain operations against AD LDAP are performed. Right now we are
using feature of cross-realm Kerberos trust: we authenticate as
HTTP/ipa.master from within Apache process and then talk to
ldap/ad.dc or to cifs/ad.dc services in AD.

With one-way trust we cannot use this approach anymore because there is
no cross-realm Kerberos trust from IPA to AD, only the other way around.
Instead, there is an object in AD LDAP which represents IPA and we have
to authenticate as this object.

Access to this object is highly regulated (by us) because possession of
the trust domain object (TDO) credentials impersonates whole trust link.
Thus, we want to avoid authenticating as TDO within Apache process.

To achieve this I've implemented a scheme similar to oddjob-mkhomedir,
by providing a helper script which is executed by oddjobd on request
from Apache:

Apache process sends d-bus request to oddjobd daemon. Oddjobd daemon
executes an IPA helper. IPA helper accesses /etc/samba/samba.keytab and
authenticates as cifs/ipa.master. It then fetches TDO
credentials from IPA LDAP and authenticates with them to AD DC. Once
operation is performed, it connects again to IPA LDAP and updates it.

Now, there are several moving parts here:

 1. /etc/samba/samba.keytab is root:root, 0600, unconfined_u:object_r:samba_etc_t:s0
    It is created by /usr/sbin/ipa-adtrust-install

 2. /var/lib/sss/keytabs/ad.test.keytab is root:root, 0600, unconfined_u:object_r:sssd_var_lib_t:s0
    It can be created by IPA helper or by SSSD, whoever runs into need
    of the keytab first. The name is dependent on the AD forest root
    name (ad.test in my case).

 3. /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains is root:root, 0755, uknown label so far.
    It is the IPA helper oddjobd daemon will be calling in response to Apache request.
    The helper is written in Python.

 4. /var/run/ipa/krb5cc_oddjob_trusts{,_fetch} -- credential caches used by the helper.
    They are root:root, 0600, unconfined_u:object_r:ipa_var_run_t:s0

 5. oddjobd daemon runs under system_u:system_r:oddjob_t:s0-s0:c0.c1023 context.


Could you please add SELinux policy that would allow the IPA
helper (3) to be executed by oddjobd, read from (1), read/write to files (2) and (4),
and communicate with LDAP server locally and AD DC remotely.
Comment 2 Alexander Bokovoy 2015-07-03 14:19:59 UTC 
I've found out that in addition to what we discovered, two following rules are needed:

#============= httpd_t ==============

#!!!! This avc can be allowed using the boolean 'httpd_run_stickshift'
allow httpd_t oddjob_t:dbus send_msg;

#============= oddjob_t ==============

#!!!! This avc can be allowed using the boolean 'httpd_run_stickshift'
allow oddjob_t httpd_t:dbus send_msg;

It would probably be better to add them directly to the policy.
Comment 3 Milos Malik 2015-07-03 15:06:27 UTC 
Does it work better when you enable the httpd_run_stickshift boolean?

# setsebool httpd_run_stickshift on

Following command enables the boolean permanently (survives the reboot):

# setsebool -P httpd_run_stickshift on
Comment 4 Alexander Bokovoy 2015-07-03 21:39:57 UTC 
It should work with it, yes, but I need fully working policy and Miroslav is working on that -- I'm documenting the parts that are discovered when I run my updated code for the helper.
Comment 5 Lukas Vrabec 2015-07-06 10:35:05 UTC 
Mirek, 

Whats the state of this issue?
Comment 6 Alexander Bokovoy 2015-07-08 10:35:10 UTC 
Current policy as developed by Mirek:

policy_module(myipa,1.0)

type ipa_helper_t;
type ipa_helper_exec_t;
domain_type(ipa_helper_t)
domain_obj_id_change_exemption(ipa_helper_t)
init_system_domain(ipa_helper_t, ipa_helper_exec_t)
oddjob_system_entry(ipa_helper_t, ipa_helper_exec_t)

require{
    type unconfined_t;
    role unconfined_r;
    }

domtrans_pattern(unconfined_t,ipa_helper_exec_t,ipa_helper_t)
role unconfined_r types ipa_helper_t;


allow ipa_helper_t self:capability { dac_override };

allow ipa_helper_t self:process setfscreate;
allow ipa_helper_t self:fifo_file rw_fifo_file_perms;
allow ipa_helper_t self:netlink_route_socket r_netlink_socket_perms;

kernel_read_system_state(ipa_helper_t)

corenet_tcp_connect_smbd_port(ipa_helper_t)

corecmd_exec_bin(ipa_helper_t)
corecmd_exec_shell(ipa_helper_t)

dev_read_urand(ipa_helper_t)

auth_use_nsswitch(ipa_helper_t)

ipa_manage_pid_files(ipa_helper_t)
ipa_read_lib(ipa_helper_t)

logging_send_syslog_msg(ipa_helper_t)

optional_policy(`
    samba_read_config(ipa_helper_t)
')

optional_policy(`
    sssd_manage_lib_files(ipa_helper_t)
')

optional_policy(`
    ldap_stream_connect(ipa_helper_t)
')

optional_policy(`
    memcached_stream_connect(ipa_helper_t)
')


This policy lacks few rules. Note that they are a bit different when you run helper as root and as apache because oddjobd actually knows about SELinux and propagates the context of caller to the helper:

#============= httpd_t ==============
allow httpd_t ipa_helper_exec_t:file entrypoint;
allow httpd_t ipa_var_lib_t:file { read getattr open };
allow httpd_t ipa_var_run_t:dir { write remove_name add_name };
allow httpd_t ipa_var_run_t:file { write setattr read lock create unlink open };
allow httpd_t oddjob_t:fifo_file write;
allow httpd_t oddjob_t:process sigchld;

#============= oddjob_t ==============
allow oddjob_t httpd_t:process transition;

#============= ipa_helper_t ==============
allow ipa_helper_t ipa_var_lib_t:file { read getattr open };

#!!!! This avc can be allowed using one of the these booleans:
#     nis_enabled, authlogin_nsswitch_use_ldap
allow ipa_helper_t ldap_port_t:tcp_socket name_connect;
allow ipa_helper_t ldconfig_exec_t:file { read execute open execute_no_trans };
Comment 7 Alexander Bokovoy 2015-07-08 10:39:23 UTC 
Two more elements after a clean run:
allow httpd_t sssd_var_lib_t:dir { write add_name };
allow httpd_t sssd_var_lib_t:file { write create setattr };

I don't like that there is httpd_t context propagation, though. I'd prefer to have everything under ipa_helper_t...
Comment 8 Alexander Bokovoy 2015-07-08 10:44:20 UTC 
Looking into oddjobd code, I can see that it computes execution context based on the caller context and the context of the file:

			client_secontext = oddjob_dbus_message_get_selinux_context(msg);
			if (client_secontext == NULL) {
				/* Wha....? */
				exec_errno = 0xff;
				write(3, &exec_errno, 1);
				_exit(-1);
			}
			if (getfilecon(method->argv[0], &helper_context) == -1) {
				switch (errno) {
				/* Not there? */
				case ENOENT:
					exec_errno = errno;
					break;
				default:
					/* No label? */
					exec_errno = 0xfd;
					break;
				}
				write(3, &exec_errno, 1);
				_exit(-1);
			}
			if (security_compute_create((char *) client_secontext,
						    helper_context,
						    SECCLASS_PROCESS,
						    &exec_context) != 0) {
				/* Failed to compute exec context? */
				exec_errno = 0xfe;
				write(3, &exec_errno, 1);
				_exit(-1);
			}
			if (setexeccon(exec_context) == -1) {
				/* Failed to set exec context? */
				exec_errno = 0xfc;
				write(3, &exec_errno, 1);
				_exit(-1);
			}

so it is possible to set proper context transition in the policy. The helper has following file context:

# ls -lZ /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains 
-rwxr-xr-x. 1 root root system_u:object_r:ipa_helper_exec_t:s0 7716 Jul  7 09:17 /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains
Comment 11 Milos Malik 2015-10-14 13:41:10 UTC 
Does your scenario work with the latest selinux-policy?
Comment 12 Alexander Bokovoy 2015-10-14 14:51:21 UTC 
Yes, I believe it works now, at least looking at the testing of AD trust relationship done by IdM QE team.
Comment 13 Miroslav Grepl 2015-10-15 08:11:23 UTC 
(In reply to Alexander Bokovoy from comment #12)
> Yes, I believe it works now, at least looking at the testing of AD trust
> relationship done by IdM QE team.

Thank you for testing.
Comment 16 errata-xmlrpc 2015-11-19 10:38:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html
Note You need to log in before you can comment on or make changes to this bug.