Created attachment 1052688 [details] log file Description of problem: The caml-crush-softhsm package provides an isolated security module which holds the private keys for processes like apache, allowing to use them but not access them. mod_gnutls can take advantage of that module using PKCS #11, but unfortunately SELinux prevents that. The log file is attached. This is an important limitation as it prevents raising the security bar in apache by removing the private keys from it (nginx for example works fine with exactly the same modules) How reproducible: 1. Install caml-crush-softhsm 2. Add user apache to pkcs11proxy group # gpasswd -a apache pkcs11proxy 3. Generate a test certificate and private key (in cert.pem, key.pem) 4. Unlock pkcs11proxy # pkcs11proxyd-softhsm-ctl unlock 5. Write the certificate and key in the module (use the pin from /etc/pkcs11proxyd/pins.txt) # p11tool --write --load-privkey key.pem --label server-key "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken" --login # p11tool --write --load-certificate cert.pem --label server-cert "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken" --login 6. Lock pkcs11proxy # pkcs11proxyd-softhsm-ctl lock 7. Verify the keys are in place: # p11tool --login --list-all "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken" 8. Set the keys in a mod_gnutls.conf (attached) 9. systemctl restart httpd Expected results: Server runs. Actual results: Server doesn't run.
Created attachment 1052689 [details] example mod_gnutls.conf
What is missing in the report is that you need to install mod_gnutls 0.7 in F22 to reproduce: https://admin.fedoraproject.org/updates/FEDORA-2015-11642/mod_gnutls-0.7-1.fc22
Hi, Please attach output: # ausearch -m AVC Thank you.
Created attachment 1053799 [details] ausearch output
(In reply to Nikos Mavrogiannopoulos from comment #4) > Created attachment 1053799 [details] > ausearch output Nikos, could you get also AVCs from permissive mode? Thanks.
Created attachment 1059795 [details] ausearch output in permissive mode
It seems that we cannot correctly fix this without handling #1265106 first, or fixing p11-kit [0]. The issue is that libffi requires writable and executable memory and that cannot be a sensible default for apache. I believe Lucas has addressed all the issues preventing caml-crush to work with the selinux-policy, except the above which should be handled outside the policy. For that, I've currently blocked this bug on #1265106. [0]. http://lists.freedesktop.org/archives/p11-glue/2015-September/000576.html
Thank you Nikos, I totally agree with you, I added all issues except this one.
Hi Nikos, I'm going to cherry-pick this policy also to F23. Can I switch this bug to MODIFIED, because selinux-policy is not blocked by this issue (#1265106). When will be something new we could discuss it here or in new bug. Agree?
Since the issues that could be handled in the policy are addressed feel free to close or set this bug to modified. I've opened (#1271501) to track the new issue discovered.
Thank you Nikos!
selinux-policy-3.13.1-151.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-4f58ef1352
selinux-policy-3.13.1-151.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update selinux-policy' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-4f58ef1352
selinux-policy-3.13.1-151.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.