Description of problem: As part of <https://fedorahosted.org/freeipa/ticket/5497> implementation, IPA calls oddjobd through D-Bus to execute a helper located at /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck, which in turn executes /usr/sbin/ipa-replica-conncheck. This currently produces the following AVCs: time->Wed Dec 9 10:00:24 2015 type=AVC msg=audit(1449651624.843:19472): avc: denied { transition } for pid=17341 comm="oddjobd" path="/usr/libexec/ipa/oddjob/org.freeipa.server.conncheck" dev="dm-1" ino=398404 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=1 ---- time->Wed Dec 9 10:00:24 2015 type=AVC msg=audit(1449651624.843:19473): avc: denied { entrypoint } for pid=17341 comm="oddjobd" path="/usr/libexec/ipa/oddjob/org.freeipa.server.conncheck" dev="dm-1" ino=398404 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 ---- time->Wed Dec 9 10:00:24 2015 type=AVC msg=audit(1449651624.853:19474): avc: denied { write } for pid=17341 comm="org.freeipa.ser" path="pipe:[8371716]" dev="pipefs" ino=8371716 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file permissive=1 ---- time->Wed Dec 9 10:00:25 2015 type=AVC msg=audit(1449651625.332:19475): avc: denied { write } for pid=17341 comm="ipa-replica-con" name="ipareplica-conncheck.log" dev="dm-1" ino=261271 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1 ---- time->Wed Dec 9 10:00:25 2015 type=AVC msg=audit(1449651625.647:19476): avc: denied { sigchld } for pid=15944 comm="oddjobd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=process permissive=1 Additionally, /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains was moved to /usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains and is incorrectly labelled system_u:object_r:bin_t:s0 instead of system_u:object_r:ipa_helper_exec_t:s0. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-155.fc23.noarch How reproducible: Always Steps to Reproduce: 1. 2. 3. Actual results: SELinux policy prevents oddjobd from executing the connection check Expected results: SELinux policy allows oddjobd from executing the connection check Additional info:
Jan, could you please test it with # chcon -t ipa_helper_exec_t /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck # setsebool -P httpd_run_ipa 1
The chcon command partially fixes the issue. Now I'm getting these AVCs: time->Mon Jan 4 14:44:14 2016 type=AVC msg=audit(1451915054.973:6182): avc: denied { open } for pid=31867 comm="ipa-replica-con" path="/var/log/ipareplica-conncheck.log" dev="dm-1" ino=261271 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 ---- time->Mon Jan 4 14:44:14 2016 type=AVC msg=audit(1451915054.974:6183): avc: denied { setattr } for pid=31867 comm="ipa-replica-con" name="ipareplica-conncheck.log" dev="dm-1" ino=261271 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 ---- time->Mon Jan 4 14:44:15 2016 type=AVC msg=audit(1451915055.980:6184): avc: denied { name_connect } for pid=31867 comm="ipa-replica-con" dest=464 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:kerberos_password_port_t:s0 tclass=tcp_socket permissive=1 ---- time->Mon Jan 4 14:44:16 2016 type=AVC msg=audit(1451915056.289:6185): avc: denied { name_connect } for pid=31867 comm="ipa-replica-con" dest=80 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1
How is /var/log/ipareplica-conncheck.log created?
In /usr/sbin/ipa-replica-conncheck (which is executed from /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck).
Jan, Just '/usr/sbin/ipa-replica-conncheck' is manipulating with this log file, from ipa point of view?
commit ff1e5391689bebd47de418df8baf40bcdee58717 Author: Lukas Vrabec <lvrabec> Date: Mon Jan 11 13:13:47 2016 +0100 Label /var/log/ipareplica-conncheck.log file as ipa_log_t Allow ipa_helper_t domain to manage logs labeledas ipa_log_t Allow ipa_helper_t to connect on http and kerberos_passwd ports. BZ(1289930)
Yes, it is not accessed from anywhere else.
Ok, thank you.
selinux-policy-3.13.1-158.2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7cb7ac5cb9
selinux-policy-3.13.1-158.2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7cb7ac5cb9
org.freeipa.server.conncheck is still incorrectly labelled with selinux-policy-3.13.1-158.2.fc23: # ls -alZ /usr/libexec/ipa/oddjob/ total 12 drwxr-xr-x. 2 root root system_u:object_r:bin_t:s0 84 Jan 18 12:40 . drwxr-xr-x. 3 root root system_u:object_r:bin_t:s0 123 Jan 18 12:40 .. -rwxr-xr-x. 1 root root system_u:object_r:ipa_helper_exec_t:s0 7625 Jan 18 09:08 com.redhat.idm.trust-fetch-domains -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 67 Jan 18 09:08 org.freeipa.server.conncheck # rpm -q selinux-policy selinux-policy-3.13.1-158.2.fc23.noarch # restorecon /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck # ls -alZ /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 67 Jan 18 09:08 /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck
commit e36e827635d9846fc5df3bc8211963f2c23ab155 Author: Lukas Vrabec <lvrabec> Date: Mon Jan 18 13:30:21 2016 +0100 Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930)
There are no more AVC denials with selinux-policy-3.13.1-158.3.f23, but when the IPA framework running in httpd tries to call oddjob over D-Bus, it fails with: Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 350, in wsgi_execute result = self.Command[name](*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 446, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 763, in run return self.execute(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/plugins/server.py", line 247, in execute ret, stdout, stderr = server.conncheck(keys[-1]) File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 70, in __call__ return self._proxy_method(*args, **keywords) File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 145, in __call__ **keywords) File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking message, timeout) DBusException: org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.456" (uid=48 pid=10841 comm="(wsgi:ipa) -DFOREGROUND ") interface="org.freeipa.server" member="conncheck" error name="(unset)" requested_reply="0" destination="org.freeipa.server" (uid=0 pid=10267 comm="/usr/sbin/oddjobd -n -p /var/run/oddjobd.pid -t 30")
My bad, I wasn't aware there is such a thing as USER_AVC. These are the USER_AVC denials which cause the issue above: time->Tue Jan 20 12:13:21 2016 type=USER_AVC msg=audit(1453288401.424:1099): pid=873 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Introspectable member=Introspect dest=org.freeipa.server spid=10841 tpid=10267 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->Tue Jan 20 12:13:21 2016 type=USER_AVC msg=audit(1453288401.425:1100): pid=873 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freeipa.server member=conncheck dest=org.freeipa.server spid=10841 tpid=10267 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
commit 954bb9161da6366ae7d3ca8374dbf197dac31d2f Author: Lukas Vrabec <lvrabec> Date: Thu Jan 21 16:55:59 2016 +0100 Allow dbus chat between httpd_t and oddjob_t. BZ(1289930)
selinux-policy-3.13.1-158.2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
moving back to modified. It was not fixed in selinux-policy-3.13.1-158.2.fc23 and selinux-policy-3.13.1-158.4.f23 is not in updates.
selinux-policy-3.13.1-158.4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21
selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21
selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.