Bug 1309421 - kadmin creates kadmind.log with bad SELinux context
kadmin creates kadmind.log with bad SELinux context
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: krb5 (Show other bugs)
23
All Linux
medium Severity medium
: ---
: ---
Assigned To: Robbie Harwood
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-17 13:35 EST by Aleš Mareček
Modified: 2016-02-26 14:22 EST (History)
8 users (show)

See Also:
Fixed In Version: krb5-1.14-9.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-26 14:22:40 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Aleš Mareček 2016-02-17 13:35:07 EST
Description of problem:
# GOOD
[root@testbox ~]# systemctl restart kadmin
Job for kadmin.service failed because the control process exited with error code. See "systemctl status kadmin.service" and "journalctl -xe" for details.
[root@testbox ~]# ls -laZ /var/log/kadmind.log
-rw-r-----. 1 root root system_u:object_r:kadmind_log_t:s0 119 Feb 17 12:59 /var/log/kadmind.log

# BAD
[root@testbox ~]# rm -rf /var/log/kadmind.log 
[root@testbox ~]# kadmin >/dev/null 2>&1
[root@testbox ~]# ls -laZ /var/log/kadmind.log 
-rw-r-----. 1 root root unconfined_u:object_r:var_log_t:s0 0 Feb 17 12:59 /var/log/kadmind.log


Version-Release number of selected component (if applicable):
krb5-workstation-1.14-7.fc23.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. # Make sure the kadmin service hasn't run so /var/log/kadmind.log doesn't exist
2. kadmin

Actual results:
-rw-------. 1 root root unconfined_u:object_r:var_log_t:s0 0 Feb 17 13:07 /var/log/kadmind.log

Expected results:
-rw-r-----. 1 root root system_u:object_r:kadmind_log_t:s0 119 Feb 17 12:59 /var/log/kadmind.log

Additional info:
It creates SELinux AVC during FreeIPA installation.
[root@testbox ~]# rm -rf /var/log/kadmind.log
[root@testbox ~]# ipa-server-install
- SNIP -
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
- SNIP -
[root@testbox ~]# ausearch -m avc -ts recent
----
time->Wed Feb 17 13:07:41 2016
type=AVC msg=audit(1455732461.943:365): avc:  denied  { open } for  pid=26394 comm="kadmind" path="/var/log/kadmind.log" dev="dm-0" ino=33925335 scontext=system_u:system_r:kadmind_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file permissive=0
[root@testbox ~]# ls -laZ /var/log/kadmind.log 
-rw-------. 1 root root unconfined_u:object_r:var_log_t:s0 0 Feb 17 13:07 /var/log/kadmind.log
Comment 1 Martin Babinsky 2016-02-22 09:57:55 EST
kadmin.local seems to be affected the same:
1.) run 'ipa-server-install' on master branch
2.) check for AVCs:
"""
ausearch -m avc                                                                        
----
time->Mon Feb 22 14:45:17 2016
type=AVC msg=audit(1456152317.032:1900): avc:  denied  { open } for  pid=7112 comm="kadmind" path="/var/log/kadmind.log" dev="vda1" ino=524925 scontext=system_u:system_r:kadmind_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file permissive=1
"""

3.) delete /var/log/kadmind.log
4.) run kadmin.local manually
"""
# kadmin.local 
Authenticating as principal root/admin@IPA.TEST with password.
kadmin.local:  exit
"""

5.) check that /var/log/kadmind.log is recreated with wrong context:

"""
# ls -lZ /var/log/kadmind.log 
-rw-r-----. 1 root root unconfined_u:object_r:var_log_t:s0 0 Feb 22 14:48 /var/log/kadmind.log
"""

IPA version: master
Kerberos version: krb5-workstation-1.14-8.fc23.x86_64
SELinux: selinux-policy-3.13.1-158.7.fc23.noarch
Comment 2 Robbie Harwood 2016-02-22 15:20:31 EST
Reproduced locally.  The problem is that kadmin.local shouldn't be trying to create this file at all.
Comment 3 Simo Sorce 2016-02-22 16:08:08 EST
Confirmed, kadmin.local will cfreate an empty log file if none is present, and of course as it runs in the root user process context it creates the file with a label that the real kadmind service can't access.
Comment 4 Robbie Harwood 2016-02-22 17:19:21 EST
In 1.13 (and earlier, as far as I can tell), the log file will be created empty - that is, opened but nothing written.  The difference is that in 1.13 it has the correct context.  I have restored this 1.13 behavior.

Since SELinux support is purely downstream (upstream is not interested at the present time), this fix is not needed upstream.

Patches building for rawhide and fc23.
Comment 5 Fedora Update System 2016-02-22 17:41:10 EST
krb5-1.14-9.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-3fb652d988
Comment 6 Fedora Update System 2016-02-24 16:52:15 EST
krb5-1.14-9.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-3fb652d988
Comment 7 Fedora Update System 2016-02-26 14:22:36 EST
krb5-1.14-9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.