1324144 – Allow oddjobd to execute IPA replica connection check

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1324144 - Allow oddjobd to execute IPA replica connection check

Summary: Allow oddjobd to execute IPA replica connection check

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Patrik Kis
Docs Contact:
URL:
Whiteboard:
Depends On:	1289930
Blocks:	1333274
TreeView+	depends on / blocked

Reported:	2016-04-05 15:57 UTC by Petr Vobornik
Modified:	2016-11-04 02:47 UTC (History)
CC List:	15 users (show)
Fixed In Version:	selinux-policy-3.13.1-70.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1289930
Clones:	1333274 (view as bug list)
Environment:
Last Closed:	2016-11-04 02:47:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2283	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2016-11-03 13:36:25 UTC

Description Petr Vobornik 2016-04-05 15:57:49 UTC

IPA will be rebased in RHEL 7.3, this policy update will be needed.

+++ This bug was initially created as a clone of Bug #1289930 +++

Description of problem:

As part of <https://fedorahosted.org/freeipa/ticket/5497> implementation, IPA calls oddjobd through D-Bus to execute a helper located at /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck, which in turn executes /usr/sbin/ipa-replica-conncheck.

This currently produces the following AVCs:

time->Wed Dec  9 10:00:24 2015
type=AVC msg=audit(1449651624.843:19472): avc:  denied  { transition } for  pid=17341 comm="oddjobd" path="/usr/libexec/ipa/oddjob/org.freeipa.server.conncheck" dev="dm-1" ino=398404 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=1
----
time->Wed Dec  9 10:00:24 2015
type=AVC msg=audit(1449651624.843:19473): avc:  denied  { entrypoint } for  pid=17341 comm="oddjobd" path="/usr/libexec/ipa/oddjob/org.freeipa.server.conncheck" dev="dm-1" ino=398404 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
time->Wed Dec  9 10:00:24 2015
type=AVC msg=audit(1449651624.853:19474): avc:  denied  { write } for  pid=17341 comm="org.freeipa.ser" path="pipe:[8371716]" dev="pipefs" ino=8371716 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=fifo_file permissive=1
----
time->Wed Dec  9 10:00:25 2015
type=AVC msg=audit(1449651625.332:19475): avc:  denied  { write } for  pid=17341 comm="ipa-replica-con" name="ipareplica-conncheck.log" dev="dm-1" ino=261271 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1
----
time->Wed Dec  9 10:00:25 2015
type=AVC msg=audit(1449651625.647:19476): avc:  denied  { sigchld } for  pid=15944 comm="oddjobd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=process permissive=1


Additionally, /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains was moved to /usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains and is incorrectly labelled system_u:object_r:bin_t:s0 instead of system_u:object_r:ipa_helper_exec_t:s0.


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-155.fc23.noarch

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:
SELinux policy prevents oddjobd from executing the connection check

Expected results:
SELinux policy allows oddjobd from executing the connection check

Additional info:

--- Additional comment from Miroslav Grepl on 2015-12-22 10:05:15 CET ---

Jan,
could you please test it with

# chcon -t ipa_helper_exec_t /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck
# setsebool -P httpd_run_ipa 1

--- Additional comment from Jan Cholasta on 2016-01-04 14:50:24 CET ---

The chcon command partially fixes the issue. Now I'm getting these AVCs:

time->Mon Jan  4 14:44:14 2016
type=AVC msg=audit(1451915054.973:6182): avc:  denied  { open } for  pid=31867 comm="ipa-replica-con" path="/var/log/ipareplica-conncheck.log" dev="dm-1" ino=261271 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
----
time->Mon Jan  4 14:44:14 2016
type=AVC msg=audit(1451915054.974:6183): avc:  denied  { setattr } for  pid=31867 comm="ipa-replica-con" name="ipareplica-conncheck.log" dev="dm-1" ino=261271 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
----
time->Mon Jan  4 14:44:15 2016
type=AVC msg=audit(1451915055.980:6184): avc:  denied  { name_connect } for  pid=31867 comm="ipa-replica-con" dest=464 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:kerberos_password_port_t:s0 tclass=tcp_socket permissive=1
----
time->Mon Jan  4 14:44:16 2016
type=AVC msg=audit(1451915056.289:6185): avc:  denied  { name_connect } for  pid=31867 comm="ipa-replica-con" dest=80 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1

--- Additional comment from Miroslav Grepl on 2016-01-07 11:10:00 CET ---

How is /var/log/ipareplica-conncheck.log created?

--- Additional comment from Jan Cholasta on 2016-01-07 11:11:43 CET ---

In /usr/sbin/ipa-replica-conncheck (which is executed from /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck).

--- Additional comment from Lukas Vrabec on 2016-01-11 12:59:15 CET ---

Jan, 
Just '/usr/sbin/ipa-replica-conncheck' is manipulating with this log file, from ipa point of view?

--- Additional comment from Lukas Vrabec on 2016-01-11 13:17:24 CET ---

commit ff1e5391689bebd47de418df8baf40bcdee58717
Author: Lukas Vrabec <lvrabec>
Date:   Mon Jan 11 13:13:47 2016 +0100

    Label /var/log/ipareplica-conncheck.log file as ipa_log_t
    Allow ipa_helper_t domain to manage logs labeledas ipa_log_t
    Allow ipa_helper_t to connect on http and kerberos_passwd ports.
    BZ(1289930)

--- Additional comment from Jan Cholasta on 2016-01-11 15:03:45 CET ---

Yes, it is not accessed from anywhere else.

--- Additional comment from Lukas Vrabec on 2016-01-11 22:27:56 CET ---

Ok, thank you.

--- Additional comment from Fedora Update System on 2016-01-14 14:15:51 CET ---

selinux-policy-3.13.1-158.2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7cb7ac5cb9

--- Additional comment from Fedora Update System on 2016-01-15 19:53:50 CET ---

selinux-policy-3.13.1-158.2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7cb7ac5cb9

--- Additional comment from Jan Cholasta on 2016-01-18 12:54:09 CET ---

org.freeipa.server.conncheck is still incorrectly labelled with selinux-policy-3.13.1-158.2.fc23:

# ls -alZ /usr/libexec/ipa/oddjob/
total 12
drwxr-xr-x. 2 root root system_u:object_r:bin_t:s0               84 Jan 18 12:40 .
drwxr-xr-x. 3 root root system_u:object_r:bin_t:s0              123 Jan 18 12:40 ..
-rwxr-xr-x. 1 root root system_u:object_r:ipa_helper_exec_t:s0 7625 Jan 18 09:08 com.redhat.idm.trust-fetch-domains
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0               67 Jan 18 09:08 org.freeipa.server.conncheck
# rpm -q selinux-policy
selinux-policy-3.13.1-158.2.fc23.noarch
# restorecon /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck
# ls -alZ /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck 
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 67 Jan 18 09:08 /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck

--- Additional comment from Lukas Vrabec on 2016-01-18 14:17:19 CET ---

commit e36e827635d9846fc5df3bc8211963f2c23ab155
Author: Lukas Vrabec <lvrabec>
Date:   Mon Jan 18 13:30:21 2016 +0100

    Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930)

--- Additional comment from Jan Cholasta on 2016-01-19 12:24:24 CET ---

There are no more AVC denials with selinux-policy-3.13.1-158.3.f23, but when the IPA framework running in httpd tries to call oddjob over D-Bus, it fails with:

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 350, in wsgi_execute
    result = self.Command[name](*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 446, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 763, in run
    return self.execute(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/server.py", line 247, in execute
    ret, stdout, stderr = server.conncheck(keys[-1])
  File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 70, in __call__
    return self._proxy_method(*args, **keywords)
  File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
DBusException: org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.456" (uid=48 pid=10841 comm="(wsgi:ipa)      -DFOREGROUND ") interface="org.freeipa.server" member="conncheck" error name="(unset)" requested_reply="0" destination="org.freeipa.server" (uid=0 pid=10267 comm="/usr/sbin/oddjobd -n -p /var/run/oddjobd.pid -t 30")

--- Additional comment from Jan Cholasta on 2016-01-21 09:10:49 CET ---

My bad, I wasn't aware there is such a thing as USER_AVC. These are the USER_AVC denials which cause the issue above:

time->Tue Jan 20 12:13:21 2016
type=USER_AVC msg=audit(1453288401.424:1099): pid=873 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Introspectable member=Introspect dest=org.freeipa.server spid=10841 tpid=10267 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Tue Jan 20 12:13:21 2016
type=USER_AVC msg=audit(1453288401.425:1100): pid=873 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freeipa.server member=conncheck dest=org.freeipa.server spid=10841 tpid=10267 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

--- Additional comment from Lukas Vrabec on 2016-01-21 16:57:10 CET ---

commit 954bb9161da6366ae7d3ca8374dbf197dac31d2f
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jan 21 16:55:59 2016 +0100

    Allow dbus chat between httpd_t and oddjob_t. BZ(1289930)

--- Additional comment from Fedora Update System on 2016-01-22 03:20:54 CET ---

selinux-policy-3.13.1-158.2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

--- Additional comment from Petr Vobornik on 2016-01-27 11:16:13 CET ---

moving back to modified. It was not fixed in selinux-policy-3.13.1-158.2.fc23 and selinux-policy-3.13.1-158.4.f23 is not in updates.

--- Additional comment from Fedora Update System on 2016-02-03 13:02:18 CET ---

selinux-policy-3.13.1-158.4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21

--- Additional comment from Fedora Update System on 2016-02-04 00:00:14 CET ---

selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21

--- Additional comment from Fedora Update System on 2016-02-07 06:23:46 CET ---

selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 errata-xmlrpc 2016-11-04 02:47:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.