1252968 – AVC denials for ipa trusts

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1252968 - AVC denials for ipa trusts

Summary: AVC denials for ipa trusts

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-08-12 15:32 UTC by Scott Poore
Modified:	2015-11-19 10:43 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.13.1-43.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 10:43:40 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Full AVC listing that includes some AVCs not listed in description (23.87 KB, text/plain) 2015-08-12 15:32 UTC, Scott Poore	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2300	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2015-11-19 09:55:26 UTC

Description Scott Poore 2015-08-12 15:32:08 UTC

Created attachment 1062064 [details]
Full AVC listing that includes some AVCs not listed in description

Description of problem:

I'm seeing AVC denials during some trust functions.  Mostly trust-add I believe:

These are the main ones I'm seeing:

time->Tue Aug 11 23:30:12 2015
type=SYSCALL msg=audit(1439316012.304:341): arch=c000003e syscall=233 success=yes exit=0 a0=a a1=2 a2=b a3=7fff8c8ff7c0 items=0 ppid=29376 pid=32634 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null)
type=AVC msg=audit(1439316012.304:341): avc:  denied  { block_suspend } for  pid=32634 comm="com.redhat.idm." capability=36  scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:system_r:ipa_helper_t:s0 tclass=capability2

----
time->Tue Aug 11 23:30:12 2015
type=SYSCALL msg=audit(1439316012.500:342): arch=c000003e syscall=54 success=no exit=-1 a0=7 a1=1 a2=20 a3=7fff8c8ff548 items=0 ppid=29376 pid=32634 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null)
type=AVC msg=audit(1439316012.500:342): avc:  denied  { net_admin } for  pid=32634 comm="com.redhat.idm." capability=12  scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:system_r:ipa_helper_t:s0 tclass=capability

----
time->Tue Aug 11 23:30:12 2015
type=PATH msg=audit(1439316012.504:343): item=0 name="/tmp" inode=100663425 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=NORMAL
type=CWD msg=audit(1439316012.504:343):  cwd="/"
type=SYSCALL msg=audit(1439316012.504:343): arch=c000003e syscall=2 success=no exit=-13 a0=7f705e28bae8 a1=0 a2=1b6 a3=24 items=1 ppid=29376 pid=32634 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null)
type=AVC msg=audit(1439316012.504:343): avc:  denied  { read } for  pid=32634 comm="com.redhat.idm." name="tmp" dev="dm-0" ino=100663425 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-41.el7.noarch
ipa-server-4.2.0-4.el7.x86_64


How reproducible:
always

Steps to Reproduce:
1.  Install IPA Server
2.  ipa-adtrust-install
3.  ipa trust-add

Actual results:
Sees AVC denials in logs.


Expected results:
No AVC denials expected.

Additional info:
more AVC denials included in attachment

Comment 2 Lukas Vrabec 2015-08-14 09:06:41 UTC

Hi Scott, 

Could you test this scenario in permissive mode? (# setenforce 0) 
Do you know if "com.redhat.idm" needs some other permissions in /tmp dir?
Is this needed to rhel7.2? Could we move it to rhel7.3?

Comment 3 Miroslav Grepl 2015-08-17 08:46:35 UTC

block_suspend should be dontaudited. It's a kernel bug. net_admin seems to be legitimate.

Then we need to get also AVCs from permissive mode how Lukas wrote above.
 I believe we can fix it in 7.2 once we have all AVCs.

Comment 4 Scott Poore 2015-08-17 12:29:21 UTC

I'm not sure what other permissions com.redhat.idm needs.  I've added Alexander to hopefully answer that.

Here are the AVCs from a test in permissive mode:


time->Sun Aug 16 23:05:15 2015
type=SYSCALL msg=audit(1439780715.180:360): arch=c000003e syscall=233 success=yes exit=0 a0=6 a1=2 a2=7 a3=7ffdbf9e61f0 items=0 ppid=24866 pid=30418 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null)
type=AVC msg=audit(1439780715.180:360): avc:  denied  { block_suspend } for  pid=30418 comm="com.redhat.idm." capability=36  scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:system_r:ipa_helper_t:s0 tclass=capability2
----
time->Sun Aug 16 23:05:25 2015
type=PATH msg=audit(1439780725.491:362): item=0 name="/tmp" inode=133 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=NORMAL
type=CWD msg=audit(1439780725.491:362):  cwd="/"
type=SYSCALL msg=audit(1439780725.491:362): arch=c000003e syscall=2 success=yes exit=11 a0=7f832a06bae8 a1=0 a2=1b6 a3=24 items=1 ppid=24866 pid=30418 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null)
type=AVC msg=audit(1439780725.491:362): avc:  denied  { read } for  pid=30418 comm="com.redhat.idm." name="tmp" dev="dm-0" ino=133 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Sun Aug 16 23:05:25 2015
type=SYSCALL msg=audit(1439780725.464:361): arch=c000003e syscall=54 success=yes exit=0 a0=7 a1=1 a2=20 a3=7ffdbf9e5e28 items=0 ppid=24866 pid=30418 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null)
type=AVC msg=audit(1439780725.464:361): avc:  denied  { net_admin } for  pid=30418 comm="com.redhat.idm." capability=12  scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:system_r:ipa_helper_t:s0 tclass=capability
----
time->Sun Aug 16 23:05:26 2015
type=PATH msg=audit(1439780726.439:363): item=1 name="/var/lib/rpm/.dbenv.lock" inode=134320268 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_var_lib_t:s0 objtype=NORMAL
type=PATH msg=audit(1439780726.439:363): item=0 name="/var/lib/rpm/" inode=134320267 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_var_lib_t:s0 objtype=PARENT
type=CWD msg=audit(1439780726.439:363):  cwd="/"
type=SYSCALL msg=audit(1439780726.439:363): arch=c000003e syscall=2 success=yes exit=9 a0=60a9d30 a1=42 a2=1a4 a3=3 items=2 ppid=24866 pid=30418 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null)
type=AVC msg=audit(1439780726.439:363): avc:  denied  { open } for  pid=30418 comm="com.redhat.idm." path="/var/lib/rpm/.dbenv.lock" dev="dm-0" ino=134320268 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file

And I think these occurred during a trust-del:

time->Sun Aug 16 23:09:31 2015
type=SYSCALL msg=audit(1439780971.945:369): arch=c000003e syscall=54 success=yes exit=0 a0=6 a1=1 a2=20 a3=7ffdf0ae9cd8 items=0 ppid=24866 pid=490 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null)
type=AVC msg=audit(1439780971.945:369): avc:  denied  { net_admin } for  pid=490 comm="com.redhat.idm." capability=12  scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:system_r:ipa_helper_t:s0 tclass=capability
----
time->Sun Aug 16 23:09:32 2015
type=PATH msg=audit(1439780972.221:370): item=0 name="/tmp" inode=133 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=NORMAL
type=CWD msg=audit(1439780972.221:370):  cwd="/"
type=SYSCALL msg=audit(1439780972.221:370): arch=c000003e syscall=2 success=yes exit=9 a0=7fe5c9a57ae8 a1=0 a2=1b6 a3=24 items=1 ppid=24866 pid=490 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null)
type=AVC msg=audit(1439780972.221:370): avc:  denied  { read } for  pid=490 comm="com.redhat.idm." name="tmp" dev="dm-0" ino=133 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Sun Aug 16 23:09:32 2015
type=PATH msg=audit(1439780972.628:371): item=1 name="/var/lib/rpm/.dbenv.lock" inode=134320268 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_var_lib_t:s0 objtype=NORMAL
type=PATH msg=audit(1439780972.628:371): item=0 name="/var/lib/rpm/" inode=134320267 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_var_lib_t:s0 objtype=PARENT
type=CWD msg=audit(1439780972.628:371):  cwd="/"
type=SYSCALL msg=audit(1439780972.628:371): arch=c000003e syscall=2 success=yes exit=7 a0=5ced6b0 a1=42 a2=1a4 a3=3 items=2 ppid=24866 pid=490 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null)
type=AVC msg=audit(1439780972.628:371): avc:  denied  { open } for  pid=490 comm="com.redhat.idm." path="/var/lib/rpm/.dbenv.lock" dev="dm-0" ino=134320268 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
----
time->Sun Aug 16 23:12:46 2015
type=PATH msg=audit(1439781166.350:373): item=0 name="/tmp" inode=133 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=NORMAL
type=CWD msg=audit(1439781166.350:373):  cwd="/"
type=SYSCALL msg=audit(1439781166.350:373): arch=c000003e syscall=2 success=yes exit=9 a0=7f5142b92ae8 a1=0 a2=1b6 a3=24 items=1 ppid=24866 pid=2265 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null)
type=AVC msg=audit(1439781166.350:373): avc:  denied  { read } for  pid=2265 comm="com.redhat.idm." name="tmp" dev="dm-0" ino=133 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Sun Aug 16 23:12:46 2015
type=PATH msg=audit(1439781166.823:374): item=1 name="/var/lib/rpm/.dbenv.lock" inode=134320268 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_var_lib_t:s0 objtype=NORMAL
type=PATH msg=audit(1439781166.823:374): item=0 name="/var/lib/rpm/" inode=134320267 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_var_lib_t:s0 objtype=PARENT
type=CWD msg=audit(1439781166.823:374):  cwd="/"
type=SYSCALL msg=audit(1439781166.823:374): arch=c000003e syscall=2 success=yes exit=7 a0=5bf34f0 a1=42 a2=1a4 a3=3 items=2 ppid=24866 pid=2265 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null)
type=AVC msg=audit(1439781166.823:374): avc:  denied  { open } for  pid=2265 comm="com.redhat.idm." path="/var/lib/rpm/.dbenv.lock" dev="dm-0" ino=134320268 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
----
time->Sun Aug 16 23:12:46 2015
type=SYSCALL msg=audit(1439781166.150:372): arch=c000003e syscall=54 success=yes exit=0 a0=6 a1=1 a2=20 a3=7ffd7918bf98 items=0 ppid=24866 pid=2265 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null)
type=AVC msg=audit(1439781166.150:372): avc:  denied  { net_admin } for  pid=2265 comm="com.redhat.idm." capability=12  scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:system_r:ipa_helper_t:s0 tclass=capability

Comment 5 Miroslav Grepl 2015-08-18 12:24:04 UTC

Thank you.

block_suspend should be dontaudited how I wrote above. Then we need to add

allow ipa_helper_t self:capability net_admin;

files_list_tmp(ipa_helper_t)

optional_policy(`
 rpm_read_db(ipa_helper_t)
')

Comment 6 Alexander Bokovoy 2015-08-18 12:45:26 UTC

I think we already had the same rules in Fedora policy so you probably be good at referencing that one.

Comment 7 Lukas Vrabec 2015-08-19 08:58:50 UTC

commit fe3e868d06e1d3ed42d35498760eef4f53df47f1
Author: Lukas Vrabec <lvrabec>
Date:   Wed Aug 19 10:54:43 2015 +0200

    Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug.
    Allow ipa_helper_t capability net_admin.
    Allow ipa_helper_t to list /tmp.
    Allow ipa_helper_t to read rpm db.
    Resolves: #1252968

Comment 9 Scott Poore 2015-08-21 17:55:13 UTC

I believe this is fixed:

Version ::

selinux-policy-3.13.1-45.el7.noarch

Results ::

I no longer see AVCs from the tests running trust related commands where I saw them before.

Comment 12 errata-xmlrpc 2015-11-19 10:43:40 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html

Note You need to log in before you can comment on or make changes to this bug.