Bug 1289930 - Allow oddjobd to execute IPA replica connection check
Allow oddjobd to execute IPA replica connection check
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
Unspecified Unspecified
high Severity medium
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks: 1324144
  Show dependency treegraph
 
Reported: 2015-12-09 06:19 EST by Jan Cholasta
Modified: 2016-04-05 11:57 EDT (History)
9 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-158.4.f23 selinux-policy-3.13.1-158.4.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1324144 (view as bug list)
Environment:
Last Closed: 2016-02-07 00:24:16 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Cholasta 2015-12-09 06:19:30 EST
Description of problem:

As part of <https://fedorahosted.org/freeipa/ticket/5497> implementation, IPA calls oddjobd through D-Bus to execute a helper located at /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck, which in turn executes /usr/sbin/ipa-replica-conncheck.

This currently produces the following AVCs:

time->Wed Dec  9 10:00:24 2015
type=AVC msg=audit(1449651624.843:19472): avc:  denied  { transition } for  pid=17341 comm="oddjobd" path="/usr/libexec/ipa/oddjob/org.freeipa.server.conncheck" dev="dm-1" ino=398404 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=1
----
time->Wed Dec  9 10:00:24 2015
type=AVC msg=audit(1449651624.843:19473): avc:  denied  { entrypoint } for  pid=17341 comm="oddjobd" path="/usr/libexec/ipa/oddjob/org.freeipa.server.conncheck" dev="dm-1" ino=398404 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
time->Wed Dec  9 10:00:24 2015
type=AVC msg=audit(1449651624.853:19474): avc:  denied  { write } for  pid=17341 comm="org.freeipa.ser" path="pipe:[8371716]" dev="pipefs" ino=8371716 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file permissive=1
----
time->Wed Dec  9 10:00:25 2015
type=AVC msg=audit(1449651625.332:19475): avc:  denied  { write } for  pid=17341 comm="ipa-replica-con" name="ipareplica-conncheck.log" dev="dm-1" ino=261271 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1
----
time->Wed Dec  9 10:00:25 2015
type=AVC msg=audit(1449651625.647:19476): avc:  denied  { sigchld } for  pid=15944 comm="oddjobd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=process permissive=1


Additionally, /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains was moved to /usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains and is incorrectly labelled system_u:object_r:bin_t:s0 instead of system_u:object_r:ipa_helper_exec_t:s0.


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-155.fc23.noarch

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:
SELinux policy prevents oddjobd from executing the connection check

Expected results:
SELinux policy allows oddjobd from executing the connection check

Additional info:
Comment 1 Miroslav Grepl 2015-12-22 04:05:15 EST
Jan,
could you please test it with

# chcon -t ipa_helper_exec_t /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck
# setsebool -P httpd_run_ipa 1
Comment 2 Jan Cholasta 2016-01-04 08:50:24 EST
The chcon command partially fixes the issue. Now I'm getting these AVCs:

time->Mon Jan  4 14:44:14 2016
type=AVC msg=audit(1451915054.973:6182): avc:  denied  { open } for  pid=31867 comm="ipa-replica-con" path="/var/log/ipareplica-conncheck.log" dev="dm-1" ino=261271 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
----
time->Mon Jan  4 14:44:14 2016
type=AVC msg=audit(1451915054.974:6183): avc:  denied  { setattr } for  pid=31867 comm="ipa-replica-con" name="ipareplica-conncheck.log" dev="dm-1" ino=261271 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
----
time->Mon Jan  4 14:44:15 2016
type=AVC msg=audit(1451915055.980:6184): avc:  denied  { name_connect } for  pid=31867 comm="ipa-replica-con" dest=464 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:kerberos_password_port_t:s0 tclass=tcp_socket permissive=1
----
time->Mon Jan  4 14:44:16 2016
type=AVC msg=audit(1451915056.289:6185): avc:  denied  { name_connect } for  pid=31867 comm="ipa-replica-con" dest=80 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1
Comment 3 Miroslav Grepl 2016-01-07 05:10:00 EST
How is /var/log/ipareplica-conncheck.log created?
Comment 4 Jan Cholasta 2016-01-07 05:11:43 EST
In /usr/sbin/ipa-replica-conncheck (which is executed from /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck).
Comment 5 Lukas Vrabec 2016-01-11 06:59:15 EST
Jan, 
Just '/usr/sbin/ipa-replica-conncheck' is manipulating with this log file, from ipa point of view?
Comment 6 Lukas Vrabec 2016-01-11 07:17:24 EST
commit ff1e5391689bebd47de418df8baf40bcdee58717
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Mon Jan 11 13:13:47 2016 +0100

    Label /var/log/ipareplica-conncheck.log file as ipa_log_t
    Allow ipa_helper_t domain to manage logs labeledas ipa_log_t
    Allow ipa_helper_t to connect on http and kerberos_passwd ports.
    BZ(1289930)
Comment 7 Jan Cholasta 2016-01-11 09:03:45 EST
Yes, it is not accessed from anywhere else.
Comment 8 Lukas Vrabec 2016-01-11 16:27:56 EST
Ok, thank you.
Comment 9 Fedora Update System 2016-01-14 08:15:51 EST
selinux-policy-3.13.1-158.2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7cb7ac5cb9
Comment 10 Fedora Update System 2016-01-15 13:53:50 EST
selinux-policy-3.13.1-158.2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7cb7ac5cb9
Comment 11 Jan Cholasta 2016-01-18 06:54:09 EST
org.freeipa.server.conncheck is still incorrectly labelled with selinux-policy-3.13.1-158.2.fc23:

# ls -alZ /usr/libexec/ipa/oddjob/
total 12
drwxr-xr-x. 2 root root system_u:object_r:bin_t:s0               84 Jan 18 12:40 .
drwxr-xr-x. 3 root root system_u:object_r:bin_t:s0              123 Jan 18 12:40 ..
-rwxr-xr-x. 1 root root system_u:object_r:ipa_helper_exec_t:s0 7625 Jan 18 09:08 com.redhat.idm.trust-fetch-domains
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0               67 Jan 18 09:08 org.freeipa.server.conncheck
# rpm -q selinux-policy
selinux-policy-3.13.1-158.2.fc23.noarch
# restorecon /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck
# ls -alZ /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck 
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 67 Jan 18 09:08 /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck
Comment 12 Lukas Vrabec 2016-01-18 08:17:19 EST
commit e36e827635d9846fc5df3bc8211963f2c23ab155
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Mon Jan 18 13:30:21 2016 +0100

    Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930)
Comment 13 Jan Cholasta 2016-01-19 06:24:24 EST
There are no more AVC denials with selinux-policy-3.13.1-158.3.f23, but when the IPA framework running in httpd tries to call oddjob over D-Bus, it fails with:

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 350, in wsgi_execute
    result = self.Command[name](*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 446, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 763, in run
    return self.execute(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/server.py", line 247, in execute
    ret, stdout, stderr = server.conncheck(keys[-1])
  File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 70, in __call__
    return self._proxy_method(*args, **keywords)
  File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
DBusException: org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.456" (uid=48 pid=10841 comm="(wsgi:ipa)      -DFOREGROUND ") interface="org.freeipa.server" member="conncheck" error name="(unset)" requested_reply="0" destination="org.freeipa.server" (uid=0 pid=10267 comm="/usr/sbin/oddjobd -n -p /var/run/oddjobd.pid -t 30")
Comment 14 Jan Cholasta 2016-01-21 03:10:49 EST
My bad, I wasn't aware there is such a thing as USER_AVC. These are the USER_AVC denials which cause the issue above:

time->Tue Jan 20 12:13:21 2016
type=USER_AVC msg=audit(1453288401.424:1099): pid=873 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Introspectable member=Introspect dest=org.freeipa.server spid=10841 tpid=10267 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Tue Jan 20 12:13:21 2016
type=USER_AVC msg=audit(1453288401.425:1100): pid=873 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freeipa.server member=conncheck dest=org.freeipa.server spid=10841 tpid=10267 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Comment 15 Lukas Vrabec 2016-01-21 10:57:10 EST
commit 954bb9161da6366ae7d3ca8374dbf197dac31d2f
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Thu Jan 21 16:55:59 2016 +0100

    Allow dbus chat between httpd_t and oddjob_t. BZ(1289930)
Comment 16 Fedora Update System 2016-01-21 21:20:54 EST
selinux-policy-3.13.1-158.2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 17 Petr Vobornik 2016-01-27 05:16:13 EST
moving back to modified. It was not fixed in selinux-policy-3.13.1-158.2.fc23 and selinux-policy-3.13.1-158.4.f23 is not in updates.
Comment 18 Fedora Update System 2016-02-03 07:02:18 EST
selinux-policy-3.13.1-158.4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21
Comment 19 Fedora Update System 2016-02-03 18:00:14 EST
selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21
Comment 20 Fedora Update System 2016-02-07 00:23:46 EST
selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.