1240223 – Prosody SELinux policy with GSS-API

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1240223 - Prosody SELinux policy with GSS-API

Summary: Prosody SELinux policy with GSS-API

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.1
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-07-06 09:23 UTC by baptiste.peugnez
Modified:	2015-11-19 10:38 UTC (History)
CC List:	9 users (show)
Fixed In Version:	selinux-policy-3.13.1-35.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 10:38:46 UTC
Target Upstream Version:
Embargoed:
Flags:	lvrabec: needinfo-

Attachments	(Terms of Use)
ausearch permissive selinux prosody with gss-api (37.08 KB, text/x-vhdl) 2015-07-07 09:26 UTC, baptiste.peugnez	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2300	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2015-11-19 09:55:26 UTC

Description baptiste.peugnez 2015-07-06 09:23:18 UTC

Description of problem:

Several avc:denied when running prosody-0.9.8-1.el7.x86_64 with GSS-API

Version-Release number of selected component (if applicable):

prosody-0.9.8-1.el7.x86_64
selinux-policy-3.13.1-23.el7_1.8.noarch

(OS : CentOS Linux release 7.1.1503 (Core))

How reproducible:

-Configure the service with GSS-API:

vim /etc/prosody/prosody.cfg.lua
--authentication = "internal_plain"
authentication = "cyrus" -- 0.8+
sasl_backend = "cyrus" -- 0.7
cyrus_service_name = "xmpp" -- Optional, defaults to "xmpp"

vim /etc/sasl2/prosody.conf
pwcheck_method: saslauthd
mech_list: PLAIN gssapi

-Keytab:
cp /lib/systemd/system/prosody.service /etc/systemd/system/prosody.service
vim /etc/systemd/system/prosody.service
...
[Service]
EnvironmentFile=-/etc/sysconfig/prosody
... 
vim /etc/sysconfig/prosody
KRB5_KTNAME=FILE:/etc/prosody/prosody.keytab

-systemctl start prosody

Steps to Reproduce:
1. yum install prosody
2. Configure the service with GSS-API
3. systemctl start prosody

Actual results:

SELinux prevents certains operations to get prosody running.
/var/log/prosody/ : https://bugzilla.redhat.com/show_bug.cgi?id=1221587
/var/tmp/xmpp_* : for Kerberos/GSS-API

Expected results:

SELinux let Prosody runs normally.

Additional info:

prosody-gss.te file coming from audit2allow

Please note the policy refrences logrotate_t because we manually changed
the log type to prosody_var_run_t as a workaround for bz #1221587

I don't have access to the policy changes you made for rhel 7.2 but you
might want to check if logrotate_t has access to prosody_log_t


module prosody-gss 1.0;

require {
    type prosody_var_run_t;
    type logrotate_t;
    type var_log_t;
    type tmp_t;
    type prosody_t;
    class capability { dac_read_search dac_override };
    class dir { write add_name remove_name };
    class file { read write create open unlink };
}

#============= prosody_t ==============
allow prosody_t self:capability { dac_read_search dac_override };
allow prosody_t tmp_t:dir { write add_name remove_name };
allow prosody_t tmp_t:file { write create open unlink };
allow prosody_t var_log_t:file { open read };

#============= logrotate_t ==============
allow logrotate_t prosody_var_run_t:file write;

Comment 2 Milos Malik 2015-07-07 07:57:01 UTC

Could you provide the list of SELinux denials which appear when you run the scenario in enforcing and in permissive mode?

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

Thank you.

Comment 3 baptiste.peugnez 2015-07-07 09:26:09 UTC

Created attachment 1049189 [details]
ausearch permissive selinux prosody with gss-api

Comment 4 baptiste.peugnez 2015-07-07 09:38:20 UTC

I uploaded the file with the list of SELinux denials in permissive mode.

997 here is the uid of the prosody user and could change on another
system.

We can also change the emplacement of the kerberos replay cache file
through the KRB5RCACHEDIR environment variable
e.g. KRB5RCACHEDIR=/var/run/prosody

The tmp_t accesses needed are the same as any gss-api enabled
applications (dovecot, postfix..). What is the recommandation for these?

Comment 5 Lukas Vrabec 2015-07-18 18:18:48 UTC

commit eaf09a7880e465b25d3d3519088d693a5ad7a624
Author: Lukas Vrabec <lvrabec>
Date:   Sat Jul 18 20:09:23 2015 +0200

    Allow prosody to create own tmp files/dirs.

Comment 6 Lukas Vrabec 2015-07-18 20:00:46 UTC

commit e67958120f2612ca9edc113a639016099440cf48
Author: Lukas Vrabec <lvrabec>
Date:   Sat Jul 18 21:58:34 2015 +0200

    Add prosody_stream_connect() interface.

Comment 7 Lukas Vrabec 2015-07-18 20:14:42 UTC

commit cca55bbc335dfa44564e3fa7e8ce1f8a6b06d7c2
Author: Lukas Vrabec <lvrabec>
Date:   Sat Jul 18 22:05:35 2015 +0200

    Allow stream connect logrotate to prosody.

Comment 8 Lukas Vrabec 2015-07-18 20:18:27 UTC

Added related rules. 

Could you attach output: 
$ ls -Z /var/log/prosody

Thank you.

Comment 9 Lukas Vrabec 2015-07-23 11:38:44 UTC

Any update here?

Comment 10 Dominique Martinet 2015-07-23 11:46:22 UTC

Sorry, Baptiste is off for a while and I've been slacking

We have this kind of files:
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.debug
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.debug-20150705.gz
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.debug-20150705.gz-20150719
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.debug-20150712-20150719
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.debug-20150712.gz
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.debug-20150720
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.err
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.err-20150710
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.err-20150710-20150720
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.log
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.log-20150705.gz
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.log-20150705.gz-20150719
-rw-r-----. prosody prosody unconfined_u:object_r:var_log_t:s0 prosody.log-20150720

(. . . that logrotate configuration is apparently also screwed up)

We have a local policy that gives prosody access to var_log_t, but as said in the bug report bz #1221587 should have fixed that (by adding prosody_log_t)

Is there anywhere we can get an updated version until redhat 7.2 gets out?

Comment 11 Lukas Vrabec 2015-07-23 14:08:48 UTC

Thank you, 
Please use:
# restorecon -R -v /var/log/prosody 

And then try to reproduce this issue. THis should fix problem with this rule:
allow prosody_t var_log_t:file { open read };

This means all related rules was added. Moving to Modified.

Comment 12 Dominique Martinet 2015-07-23 16:09:40 UTC

"restorecon -R -v /var/log/prosody" doesn't do anything since the policy currently available for rhel 7 (3.13.1-23.el7_1.8) still has these files as var_log_t.

I'm not quite sure why that log rule happened, please ignore it for now, it's just all a big mess because there's nowhere where we can get the selinux updates from both bz.
I had to look at the latest fedora koji builds to get an srpm after the appropriate changelogs (with the messages you posted here), and run a diff of both rpmbuild-prepared directories to look for what has actually been done...


Anyway, I'm not quite sure why you had to add a prosody_stream_connect interface and use it with logrotate_t (since the logrotate configuration uses systemctl reload), I guess we weren't clear with the original point about having to check if logrotate had been updated?

Comment 13 Lukas Vrabec 2015-07-24 08:45:06 UTC

Do you have AVC related to this rule? 
allow logrotate_t prosody_var_run_t:file write;

Comment 14 Dominique Martinet 2015-07-24 08:55:33 UTC

The files are currently var_log_t with an exception to prosody_t to write to them until we can upgrade the policy (either rebuilding ourselves or update made available)

Now I looked at the update from pervious ticket I think it'll work (logging_log_file should do it), it's just hard to tell what's done with a commit message when we don't have access to the repository...


Anyway, I think what we reported should have been fixed now and I'll re-open a ticket if something is missing after the update is available, unless you have a way for us to test selinux-policy-3.13.1-35.el7 earlier.

Thank you,
-- 
Dominique

Comment 16 Lukas Vrabec 2015-07-27 10:30:35 UTC

I tested this on my system, it looks good. 

[root@ibm-x3650m4-01-vm-09 prosody]# ls -Z 
-rw-r-----. prosody prosody system_u:object_r:prosody_log_t:s0 prosody.err
-rw-r-----. prosody prosody system_u:object_r:prosody_log_t:s0 prosody.log
[root@ibm-x3650m4-01-vm-09 prosody]# pwd
/var/log/prosody

Comment 19 errata-xmlrpc 2015-11-19 10:38:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html

Note You need to log in before you can comment on or make changes to this bug.