Bug 1256757 - SELinux is preventing IPA access to /var/run/ipa/renewal.lock
SELinux is preventing IPA access to /var/run/ipa/renewal.lock
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.1
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
: ZStream
Depends On: 1213256
Blocks: 1268774
  Show dependency treegraph
 
Reported: 2015-08-25 08:10 EDT by Jan Cholasta
Modified: 2015-11-19 05:44 EST (History)
15 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-53.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1213256
: 1268774 (view as bug list)
Environment:
Last Closed: 2015-11-19 05:44:09 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Cholasta 2015-08-25 08:10:56 EDT
+++ This bug was initially created as a clone of Bug #1213256 +++

Description of problem:

The following IPA binaries need R/W access to /var/run/ipa/renewal.lock in order for certificate renewal to work on IPA servers:

/usr/lib64/ipa/certmonger/restart_dirsrv
/usr/lib64/ipa/certmonger/restart_httpd
/usr/lib64/ipa/certmonger/renew_ca_cert
/usr/lib64/ipa/certmonger/renew_ra_cert
/usr/lib64/ipa/certmonger/stop_pkicad
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
/usr/libexec/certmonger/ipa-server-guard

I am getting AVCs like this for all of the above binaries:

time->Mon Apr 20 03:21:15 2015
type=AVC msg=audit(1429514475.260:271686): avc:  denied  { open } for  pid=13756 comm="ipa-server-guar" path="/run/ipa/renewal.lock" dev="tmpfs" ino=42936 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Mon Apr 20 03:21:15 2015
type=AVC msg=audit(1429514475.263:271687): avc:  denied  { getattr } for  pid=13756 comm="ipa-server-guar" path="/run/ipa/renewal.lock" dev="tmpfs" ino=42936 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Mon Apr 20 03:21:15 2015
type=AVC msg=audit(1429514475.264:271688): avc:  denied  { lock } for  pid=13756 comm="ipa-server-guar" path="/run/ipa/renewal.lock" dev="tmpfs" ino=42936 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Mon Apr 20 03:21:15 2015
type=AVC msg=audit(1429514475.266:271689): avc:  denied  { write } for  pid=13756 comm="ipa-server-guar" name="renewal.lock" dev="tmpfs" ino=42936 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Mon Apr 20 03:21:15 2015
type=AVC msg=audit(1429514475.260:271685): avc:  denied  { read append } for  pid=13756 comm="ipa-server-guar" name="renewal.lock" dev="tmpfs" ino=42936 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-105.13.fc21.noarch

How reproducible:
Always.

Steps to Reproduce:
1. run "getcert list" on IPA server
2. choose one tracking request from the output, run "getcert resubmit -i <REQUEST_ID>"

Actual results:
Certificate renewal fails.

Expected results:
Certificate renewal succeeds.

Additional info:

--- Additional comment from Lukas Vrabec on 2015-04-20 07:25:37 EDT ---

commit f8c785c1782d81cf72024d2b41d8364cc5bdb01d
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Mon Apr 20 13:24:24 2015 +0200

    Allow certmonger to manage renewal.lock. BZ(1213256)

commit d1f9e5e18a891b6e37010c147d5124fd812585cf
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Mon Apr 20 13:23:02 2015 +0200

    Add ipa_manage_pid_files interface.

--- Additional comment from Fedora Update System on 2015-06-24 08:28:58 EDT ---

selinux-policy-3.13.1-105.18.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.18.fc21

--- Additional comment from Fedora Update System on 2015-06-25 04:22:37 EDT ---

Package selinux-policy-3.13.1-105.18.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.18.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-10708/selinux-policy-3.13.1-105.18.fc21
then log in and leave karma (feedback).

--- Additional comment from Fedora Update System on 2015-06-30 03:31:27 EDT ---

selinux-policy-3.13.1-105.19.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.19.fc21

--- Additional comment from Fedora Update System on 2015-07-14 11:50:39 EDT ---

selinux-policy-3.13.1-105.19.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 2 Lukas Vrabec 2015-08-25 08:46:19 EDT
Hi, 

renewal.lock file has bad label. 
Correct label is:
$ matchpathcon /run/ipa/renewal.lock
/run/ipa/renewal.lock	system_u:object_r:ipa_var_run_t:s0

Do you know which service create file /run/ipa/renewal.lock? I would say that we have missing file transition for certmonger to create ipa_var_run_t.
Comment 3 Jan Cholasta 2015-08-25 10:30:54 EDT
The file is created from a script executed by certmonger.
Comment 4 Milos Malik 2015-08-25 10:37:46 EDT
Is the /run/ipa directory labeled correctly ?

# ls -dZ /run/ipa
Comment 5 Miroslav Grepl 2015-08-25 10:42:19 EDT
Yes, how is /run/ipa directory created in this case?
Comment 6 Jan Cholasta 2015-08-26 03:30:09 EDT
I have retried again on a clean VM with selinux-policy-3.13.1-23.el7_1.13 and I don't see the AVCs anymore.

However, if I downgrade to selinux-policy-3.13.1-23.el7 and then upgrade back to selinux-policy-3.13.1-23.el7_1.13 (which I did before while investigating bug 1252863), the AVCs start to appear again. The /run/ipa directory is labelled this way in this case:

# ls -dZ /run/ipa
drwx------. root root system_u:object_r:var_run_t:s0   /run/ipa

The same AVCs were also seen by customers in bug 1252863, without the selinux-policy downgrade+upgrade, so something else must have triggered the bug in their case.
Comment 7 Miroslav Grepl 2015-08-26 04:45:37 EDT
Any chance to find out where /run/ipa is created? Is this a part of a scriptlet or a part of a setup script?
Comment 8 Miroslav Grepl 2015-08-26 07:11:57 EDT
Moving to 7.3. If it needs to go into 7.2, please request exception with requested needinfo.
Comment 9 Jan Cholasta 2015-08-26 11:48:04 EDT
The directory is created by RPM when ipa-server is installed. This is the relevant line from the spec file:

%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/

It is also managed by systemd, using the following tmpfiles configuration:

d /var/run/ipa 0700 root root
Comment 10 Miroslav Grepl 2015-08-28 11:58:18 EDT
(In reply to Jan Cholasta from comment #9)
> The directory is created by RPM when ipa-server is installed. This is the
> relevant line from the spec file:
> 
> %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
> 
> It is also managed by systemd, using the following tmpfiles configuration:
> 
> d /var/run/ipa 0700 root root


It looks OK. So we should have correct labeling here. ANy chance this directory is re-created?
Comment 11 Jan Cholasta 2015-09-07 02:09:01 EDT
The spec file and tmpfiles config are the only 2 places in IPA where the directory is created. If it is re-created, it is not done from IPA.
Comment 12 Lukas Vrabec 2015-09-16 05:10:46 EDT
Basically, We need to find out which process creating this directory. To add right file transition rule.

Jan, could you try to reproduce it with the newest selinux-policy packages?
Comment 13 Milos Malik 2015-09-16 06:53:21 EDT
Special policy module (containing few auditallow rules) gave us the answer. The /var/run/ipa directory is created by yum:
----
type=PATH msg=audit(09/16/2015 10:48:58.124:172) : item=1 name=/var/run/ipa inode=49309 dev=00:13 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0 objtype=CREATE 
type=PATH msg=audit(09/16/2015 10:48:58.124:172) : item=0 name=/var/run/ inode=6497 dev=00:13 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=PARENT 
type=CWD msg=audit(09/16/2015 10:48:58.124:172) :  cwd=/root/selinux-policy/Regression/ipa-and-similar 
type=SYSCALL msg=audit(09/16/2015 10:48:58.124:172) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x54410a0 a1=0700 a2=0x1e a3=0xfffffffffffff0bc items=2 ppid=12858 pid=13465 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=yum exe=/usr/bin/python2.7 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/16/2015 10:48:58.124:172) : avc:  granted  { create } for  pid=13465 comm=yum name=ipa scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir 
----

It happens during the installation of ipa related packages.
Comment 14 Milos Malik 2015-09-16 07:10:28 EDT
# rpm -qa selinux-policy\*
selinux-policy-sandbox-3.13.1-23.el7_1.18.noarch
selinux-policy-doc-3.13.1-23.el7_1.18.noarch
selinux-policy-targeted-3.13.1-23.el7_1.18.noarch
selinux-policy-3.13.1-23.el7_1.18.noarch
selinux-policy-mls-3.13.1-23.el7_1.18.noarch
selinux-policy-devel-3.13.1-23.el7_1.18.noarch
selinux-policy-minimum-3.13.1-23.el7_1.18.noarch
# matchpathcon /var/run/ipa
/var/run/ipa	system_u:object_r:var_run_t:s0
#

The latest z-stream selinux-policy does not label the directory correctly.
Comment 15 Miroslav Grepl 2015-09-17 06:50:01 EDT
Nice catch!

We will need to add a transition rule if we are not able to fix using restorecon.
Comment 18 Miroslav Grepl 2015-09-24 04:21:09 EDT
(In reply to Miroslav Grepl from comment #15)
> Nice catch!
> 
> We will need to add a transition rule if we are not able to fix using
> restorecon.

Taking back.

Milos,
are we able to reproduce it with latest 7.2 policies. The point is we have 

matchpathcon /var/run/ipa
/var/run/ipa	system_u:object_r:ipa_var_run_t:s0

and RPM should do a magic and add correct labeling. So I believe this is only 7.1.z issue where we don't have

/var/run/ipa	system_u:object_r:ipa_var_run_t:s0
Comment 19 Miroslav Grepl 2015-09-24 04:24:47 EDT
Jan,
can you confirm it you are not able to reproduce it with 7.2?
Comment 20 Milos Malik 2015-09-24 04:26:21 EDT
# rpm -qf /run/ipa
error: file /run/ipa: No such file or directory
# rpm -q ipa-server
package ipa-server is not installed
# yum install ipa-server
Loaded plugins: product-id, refresh-packagekit, search-disabled-repos,
              : subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package ipa-server.x86_64 0:4.2.0-11.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package          Arch         Version              Repository             Size
================================================================================
Installing:
 ipa-server       x86_64       4.2.0-11.el7         RHEL-7.2-Server       1.3 M

Transaction Summary
================================================================================
Install  1 Package

Total download size: 1.3 M
Installed size: 4.9 M
Is this ok [y/d/N]: y
Downloading packages:
ipa-server-4.2.0-11.el7.x86_64.rpm                         | 1.3 MB   00:01     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
  Installing : ipa-server-4.2.0-11.el7.x86_64                               1/1 
  Verifying  : ipa-server-4.2.0-11.el7.x86_64                               1/1 

Installed:
  ipa-server.x86_64 0:4.2.0-11.el7                                              

Complete!
# rpm -qf /run/ipa
ipa-server-4.2.0-11.el7.x86_64
# ls -dZ /run/ipa
drwx------. root root system_u:object_r:ipa_var_run_t:s0 /run/ipa
# 

It works as expected with 3.13.1-53.el7.
Comment 21 Jan Cholasta 2015-09-24 05:09:38 EDT
Miroslav, it is not clear to me how to properly reproduce the issue, as my original assumptions were wrong, which I have tried to explain in comment 6. Can you advise on how to reproduce it?

For what it's worth, I have never seen the issue on 7.2, even before I opened this bug.
Comment 22 Milos Malik 2015-09-24 05:17:06 EDT
The issue should appear after installation of ipa-server package on a RHEL-7.1 machine. selinux-policy for RHEL-7.1.z does not fix the issue.
Comment 23 Lukas Vrabec 2015-09-24 07:14:18 EDT
Jan, 
Milos answered on your question.
Comment 33 Miroslav Vadkerti 2015-10-05 10:46:43 EDT
Moving back to correct state
Comment 35 errata-xmlrpc 2015-11-19 05:44:09 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html

Note You need to log in before you can comment on or make changes to this bug.