Bug 1243851 - mod_gnutls: cannot run with private keys outside its address space
Summary: mod_gnutls: cannot run with private keys outside its address space
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 23
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2015-07-16 13:13 UTC by Nikos Mavrogiannopoulos
Modified: 2015-10-19 21:09 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-151.fc23
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-10-19 21:09:27 UTC
Type: Bug

Attachments (Terms of Use)
log file (85.64 KB, text/plain)
2015-07-16 13:13 UTC, Nikos Mavrogiannopoulos
no flags Details
example mod_gnutls.conf (1.74 KB, text/plain)
2015-07-16 13:14 UTC, Nikos Mavrogiannopoulos
no flags Details
ausearch output (33.57 KB, text/plain)
2015-07-20 09:30 UTC, Nikos Mavrogiannopoulos
no flags Details
ausearch output in permissive mode (3.96 KB, text/plain)
2015-08-06 08:39 UTC, Nikos Mavrogiannopoulos
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1271501 0 unspecified CLOSED p11-kit utilizes libffi which cannot be used without executable+writable memory 2021-02-22 00:41:40 UTC

Description Nikos Mavrogiannopoulos 2015-07-16 13:13:57 UTC
Created attachment 1052688 [details]
log file

Description of problem:
The caml-crush-softhsm package provides an isolated security module which holds the private keys for processes like apache, allowing to use them but not access them.

mod_gnutls can take advantage of that module using PKCS #11, but unfortunately SELinux prevents that. The log file is attached.

This is an important limitation as it prevents raising the security bar in apache by removing the private keys from it (nginx for example works fine with exactly the same modules)

How reproducible:

1. Install caml-crush-softhsm
2. Add user apache to pkcs11proxy group
   # gpasswd -a apache pkcs11proxy
3. Generate a test certificate and private key (in cert.pem, key.pem)
4. Unlock pkcs11proxy
   # pkcs11proxyd-softhsm-ctl unlock
5. Write the certificate and key in the module
   (use the pin from /etc/pkcs11proxyd/pins.txt)

   # p11tool --write --load-privkey key.pem --label server-key "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken" --login
   # p11tool --write --load-certificate cert.pem --label server-cert "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken" --login

6. Lock pkcs11proxy
   # pkcs11proxyd-softhsm-ctl lock

7. Verify the keys are in place:
  # p11tool --login --list-all "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken"

8. Set the keys in a mod_gnutls.conf (attached)

9. systemctl restart httpd

Expected results:
Server runs.

Actual results:
Server doesn't run.

Comment 1 Nikos Mavrogiannopoulos 2015-07-16 13:14:27 UTC
Created attachment 1052689 [details]
example mod_gnutls.conf

Comment 2 Nikos Mavrogiannopoulos 2015-07-16 13:16:00 UTC
What is missing in the report is that you need to install mod_gnutls 0.7 in F22 to reproduce:

Comment 3 Lukas Vrabec 2015-07-20 08:25:55 UTC
Please attach output:
# ausearch -m AVC

Thank you.

Comment 4 Nikos Mavrogiannopoulos 2015-07-20 09:30:01 UTC
Created attachment 1053799 [details]
ausearch output

Comment 5 Miroslav Grepl 2015-08-05 15:00:57 UTC
(In reply to Nikos Mavrogiannopoulos from comment #4)
> Created attachment 1053799 [details]
> ausearch output

could you get also AVCs from permissive mode?


Comment 6 Nikos Mavrogiannopoulos 2015-08-06 08:39:43 UTC
Created attachment 1059795 [details]
ausearch output in permissive mode

Comment 7 Nikos Mavrogiannopoulos 2015-10-12 12:33:45 UTC
It seems that we cannot correctly fix this without handling #1265106 first, or fixing p11-kit [0]. The issue is that libffi requires writable and executable memory and that cannot be a sensible default for apache.

I believe Lucas has addressed all the issues preventing caml-crush to work with the selinux-policy, except the above which should be handled outside the policy. For that, I've currently blocked this bug on #1265106.

[0]. http://lists.freedesktop.org/archives/p11-glue/2015-September/000576.html

Comment 8 Lukas Vrabec 2015-10-13 11:58:15 UTC
Thank you Nikos, 
I totally agree with you, I added all issues except this one.

Comment 9 Lukas Vrabec 2015-10-13 14:24:15 UTC
Hi Nikos, 
I'm going to cherry-pick this policy also to F23. Can I switch this bug to MODIFIED, because selinux-policy is not blocked by this issue (#1265106). 
When will be something new we could discuss it here or in new bug. 

Comment 10 Nikos Mavrogiannopoulos 2015-10-14 07:46:05 UTC
Since the issues that could be handled in the policy are addressed feel free to close or set this bug to modified. I've opened (#1271501) to track the new issue discovered.

Comment 11 Lukas Vrabec 2015-10-14 11:41:10 UTC
Thank you Nikos!

Comment 12 Fedora Update System 2015-10-14 12:14:24 UTC
selinux-policy-3.13.1-151.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-4f58ef1352

Comment 13 Fedora Update System 2015-10-14 22:53:02 UTC
selinux-policy-3.13.1-151.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-4f58ef1352

Comment 14 Fedora Update System 2015-10-19 21:09:19 UTC
selinux-policy-3.13.1-151.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.