1452215 – SELinux policy denies IPA framework to perform anonymous PKINIT on localhost during FAST armoring

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1452215 - SELinux policy denies IPA framework to perform anonymous PKINIT on localhost during FAST armoring

Summary: SELinux policy denies IPA framework to perform anonymous PKINIT on localhost ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.4
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1451733 (view as bug list)
Depends On:
Blocks:	1438729
TreeView+	depends on / blocked

Reported:	2017-05-18 15:03 UTC by Martin Babinsky
Modified:	2018-01-15 11:42 UTC (History)
CC List:	11 users (show)
Fixed In Version:	selinux-policy-3.13.1-152.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 15:26:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:1861	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2017-08-01 17:50:24 UTC

Description Martin Babinsky 2017-05-18 15:03:33 UTC

Description of problem:

When installing/upgrading to ipa-server-4.5.0-9.el7, the password authentication to IPA framework (r.g. through WebUI login) fails due to the following SELinux denial visible only after setting 'semanage dontaudit off' on the host:

"""
type=PROCTITLE msg=audit(1494934341.770:412): proctitle=2F7573722F62696E2F6B696E6974002D6E002D63002F7661722F72756E2F6970612F636361636865732F61726D6F725F3130333234002D5800583530395F616E63686F72730046494C453A2F7661722F6B65726265726F732F6B7262356B64632F6361636572742E70656D
type=PATH msg=audit(1494934341.770:412): item=0 name="/var/kerberos/krb5kdc/cacert.pem" inode=50484290 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:krb5kdc_conf_t:s0 objtype=NORMAL
type=CWD msg=audit(1494934341.770:412):  cwd="/"
type=SYSCALL msg=audit(1494934341.770:412): arch=c000003e syscall=2 success=no exit=-13 a0=55da8eed5de5 a1=0 a2=1b6 a3=24 items=1 ppid=10324 pid=14635 auid=4294967295 uid=387 gid=387 euid=387 suid=387 fsuid=387 egid=387 sgid=387 fsgid=387 tty=(none) ses=4294967295 comm="kinit" exe="/usr/bin/kinit" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1494934341.770:412): avc:  denied  { read } for  pid=14635 comm="kinit" name="cacert.pem" dev="dm-0" ino=50484290 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:krb5kdc_conf_t:s0 tclass=file
"""

The reason is that to armor client AS_REQ performed during password auth, IPA framework must peform anonymous PKINIT using local KDC's CA anchors (/var/kerberos/krb5kdc/cacert.pem). That's why 'kinit' is running with httpd_t context, it is spawned from within the apache process serving the framework.

Since it is difficult to move the anchor file to a place accessible to both KDC and the framework, not speaking about maintaining multiple copies of the file, we would like to allow this domain transition in RHEL 7.4 SELinux policy.


Version-Release number of selected component (if applicable):

ipa-server-4.5.0-9.el7

How reproducible:

Always

Steps to Reproduce:
1. run 'semanage dontaudit off'
2. run ipa-server-install or upgrade from RHEL 7.3 ipa-server
3. try to login to WebUI or perform password auth against the framework e.g. using curl

Actual results:

The authentication fails. ausearch -m avc displays audit trail reported above.

Expected results:

Authentication succeeds and the session is established. No denials are observed in audit log.

Additional info:

See https://bugzilla.redhat.com/show_bug.cgi?id=1438729#c17 and later (may be private) for more info on the issue.

Comment 2 Scott Poore 2017-05-18 17:57:51 UTC

FYI, we can also reproduce this using the same login script Martin provided and was used here:

https://bugzilla.redhat.com/show_bug.cgi?id=1438729#c23

Comment 3 Scott Poore 2017-05-18 18:05:32 UTC

Also, marking priority/severity high because of the affect of the bug when in enforcing mode.

Comment 11 Scott Poore 2017-05-24 16:20:15 UTC

Verified.

Version ::

selinux-policy-3.13.1-152.el7.noarch

Results ::

# Below first shows failure, then selinux-policy upgrade, then success.

[root@rhel7-3 ~]# setenforce 1


[root@rhel7-3 ~]# getenforce
Enforcing



[root@rhel7-3 ~]# ./login_password.sh admin Secret123
* About to connect() to rhel7-3.example.com port 443 (#0)
*   Trying 192.168.122.73...
* Connected to rhel7-3.example.com (192.168.122.73) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/ipa/ca.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*   subject: CN=rhel7-3.example.com,O=EXAMPLE.COM
*   start date: May 04 01:38:19 2017 GMT
*   expire date: May 05 01:38:19 2019 GMT
*   common name: rhel7-3.example.com
*   issuer: CN=Certificate Authority,O=EXAMPLE.COM
> POST /ipa/session/login_password HTTP/1.1
> User-Agent: curl/7.29.0
> Host: rhel7-3.example.com
> Cookie: ipa_session=MagBearerToken=PAWxTqS4nFZyZGZTrkOZFddDV06LjqYX%2fu0M7IVxa8jS6%2f3wElAQef55j9BvZajT2uaZiY5zKHBVyhe6F9dR5ARaI9M3F5JzlHbHs2%2flTMFlegMLWNfS6pT7B9GajLVCxqry8a38EsaopH%2bsrsRWu5uP1LjyTUaRTyB9%2byKXGTJQHwmY6QeyPI1M8aZk0l%2ba&expiry=1495644045760955
> referer:https://rhel7-3.example.com/ipa
> Content-Type:application/x-www-form-urlencoded
> Accept:text/plain
> Content-Length: 29
> 
* upload completely sent off: 29 out of 29 bytes
< HTTP/1.1 500 Internal Server Error
< Date: Wed, 24 May 2017 16:10:59 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.1 mod_wsgi/3.4 Python/2.7.5
* Replaced cookie ipa_session="MagBearerToken=PAWxTqS4nFZyZGZTrkOZFddDV06LjqYX%2fu0M7IVxa8jS6%2f3wElAQef55j9BvZajT2uaZiY5zKHBVyhe6F9dR5ARaI9M3F5JzlHbHs2%2flTMFlegMLWNfS6pT7B9GajLVCxqry8a38EsaopH%2bsrsRWu5uP1LjyTUaRTyB9%2byKXGTJQHwmY6QeyPI1M8aZk0l%2ba&expiry=1495644059804244" for domain rhel7-3.example.com, path /ipa, expire 1495644059
< Set-Cookie: ipa_session=MagBearerToken=PAWxTqS4nFZyZGZTrkOZFddDV06LjqYX%2fu0M7IVxa8jS6%2f3wElAQef55j9BvZajT2uaZiY5zKHBVyhe6F9dR5ARaI9M3F5JzlHbHs2%2flTMFlegMLWNfS6pT7B9GajLVCxqry8a38EsaopH%2bsrsRWu5uP1LjyTUaRTyB9%2byKXGTJQHwmY6QeyPI1M8aZk0l%2ba&expiry=1495644059804244;Max-Age=1800;path=/ipa;httponly;secure;
< X-Frame-Options: DENY
< Content-Security-Policy: frame-ancestors 'none'
< Cache-Control: no-cache
* Replaced cookie ipa_session="MagBearerToken=PAWxTqS4nFZyZGZTrkOZFddDV06LjqYX%2fu0M7IVxa8jS6%2f3wElAQef55j9BvZajT2uaZiY5zKHBVyhe6F9dR5ARaI9M3F5JzlHbHs2%2flTMFlegMLWNfS6pT7B9GajLVCxqry8a38EsaopH%2bsrsRWu5uP1LjyTUaRTyB9%2byKXGTJQHwmY6QeyPI1M8aZk0l%2ba&expiry=1495644059804244" for domain rhel7-3.example.com, path /ipa, expire 1495644059
< Set-Cookie: ipa_session=MagBearerToken=PAWxTqS4nFZyZGZTrkOZFddDV06LjqYX%2fu0M7IVxa8jS6%2f3wElAQef55j9BvZajT2uaZiY5zKHBVyhe6F9dR5ARaI9M3F5JzlHbHs2%2flTMFlegMLWNfS6pT7B9GajLVCxqry8a38EsaopH%2bsrsRWu5uP1LjyTUaRTyB9%2byKXGTJQHwmY6QeyPI1M8aZk0l%2ba&expiry=1495644059804244;Max-Age=1800;path=/ipa;httponly;secure;
< Content-Length: 527
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at 
 root@localhost to inform them of the time this error occurred,
 and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
</body></html>
* Closing connection 0



[root@rhel7-3 ~]# yum update selinux-policy
....
Updated:
  selinux-policy.noarch 0:3.13.1-152.el7                                                               

Dependency Updated:
  selinux-policy-targeted.noarch 0:3.13.1-152.el7                                                      

Complete!



[root@rhel7-3 ~]# ipactl stop
Stopping ipa-otpd Service
Stopping pki-tomcatd Service
Stopping ntpd Service
Stopping ipa-custodia Service
Stopping httpd Service
Stopping kadmin Service
Stopping krb5kdc Service
Stopping Directory Service
ipa: INFO: The ipactl command was successful



[root@rhel7-3 ~]# systemctl restart gssproxy



[root@rhel7-3 ~]# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting httpd Service
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service
Starting ipa-otpd Service
ipa: INFO: The ipactl command was successful



[root@rhel7-3 ~]# ./login_password.sh admin Secret123
* About to connect() to rhel7-3.example.com port 443 (#0)
*   Trying 192.168.122.73...
* Connected to rhel7-3.example.com (192.168.122.73) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/ipa/ca.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*   subject: CN=rhel7-3.example.com,O=EXAMPLE.COM
*   start date: May 04 01:38:19 2017 GMT
*   expire date: May 05 01:38:19 2019 GMT
*   common name: rhel7-3.example.com
*   issuer: CN=Certificate Authority,O=EXAMPLE.COM
> POST /ipa/session/login_password HTTP/1.1
> User-Agent: curl/7.29.0
> Host: rhel7-3.example.com
> Cookie: ipa_session=MagBearerToken=PAWxTqS4nFZyZGZTrkOZFddDV06LjqYX%2fu0M7IVxa8jS6%2f3wElAQef55j9BvZajT2uaZiY5zKHBVyhe6F9dR5ARaI9M3F5JzlHbHs2%2flTMFlegMLWNfS6pT7B9GajLVCxqry8a38EsaopH%2bsrsRWu5uP1LjyTUaRTyB9%2byKXGTJQHwmY6QeyPI1M8aZk0l%2ba&expiry=1495644059804244
> referer:https://rhel7-3.example.com/ipa
> Content-Type:application/x-www-form-urlencoded
> Accept:text/plain
> Content-Length: 29
> 
* upload completely sent off: 29 out of 29 bytes
< HTTP/1.1 200 Success
< Date: Wed, 24 May 2017 16:14:58 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.1 mod_wsgi/3.4 Python/2.7.5
< IPASESSION: MagBearerToken=x595JRR2K6GTx%2b5tJX%2feb9phWFX4CAw2sk9TIlMiBO2aSIMYQfUFAGIM3gMusie417EaqQLlUNWaEN7wi1U0JAQyTnuaMBafmdQnM5EctBZ6dZW6ros545q5R2sopXADCyGlZxlHrq%2fSZgQjiqBontZFYJSx11JTUBBbylURFucfHRuG2ESO9ItHmnBJIIpl&expiry=1495644298935092
* Replaced cookie ipa_session="MagBearerToken=x595JRR2K6GTx%2b5tJX%2feb9phWFX4CAw2sk9TIlMiBO2aSIMYQfUFAGIM3gMusie417EaqQLlUNWaEN7wi1U0JAQyTnuaMBafmdQnM5EctBZ6dZW6ros545q5R2sopXADCyGlZxlHrq%2fSZgQjiqBontZFYJSx11JTUBBbylURFucfHRuG2ESO9ItHmnBJIIpl&expiry=1495644298937275" for domain rhel7-3.example.com, path /ipa, expire 1495644298
< Set-Cookie: ipa_session=MagBearerToken=x595JRR2K6GTx%2b5tJX%2feb9phWFX4CAw2sk9TIlMiBO2aSIMYQfUFAGIM3gMusie417EaqQLlUNWaEN7wi1U0JAQyTnuaMBafmdQnM5EctBZ6dZW6ros545q5R2sopXADCyGlZxlHrq%2fSZgQjiqBontZFYJSx11JTUBBbylURFucfHRuG2ESO9ItHmnBJIIpl&expiry=1495644298937275;Max-Age=1800;path=/ipa;httponly;secure;
< X-Frame-Options: DENY
< Content-Security-Policy: frame-ancestors 'none'
< Cache-Control: no-cache
< Content-Length: 0
< Content-Type: text/plain; charset=UTF-8
< 
* Connection #0 to host rhel7-3.example.com left intact

^^^^ Worked...see above:  HTTP/1.1 200 Success




[root@rhel7-3 ~]# getenforce
Enforcing

Comment 15 Petr Vobornik 2017-05-25 15:34:44 UTC

*** Bug 1451733 has been marked as a duplicate of this bug. ***

Comment 16 Abhijeet Kasurde 2017-05-26 07:16:26 UTC

I am able to login into Web UI with IPA Server :: ipa-server-4.5.0-13.el7.x86_64

Comment 17 errata-xmlrpc 2017-08-01 15:26:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861

Comment 18 Sebastián Greco 2018-01-15 10:18:23 UTC

Hi,

I'm getting this error even with selinux in permissive mode. I'm not sure this is the right place to post this error, but the only error I've found on the web is a closed duplicate of this report.

[Wed Dec 27 10:14:24.279362 2017] [:error] [pid 1646] [remote 172.16.1.22:24] mod_wsgi (pid=1646): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Wed Dec 27 10:14:24.279838 2017] [:error] [pid 1646] [remote 172.16.1.22:24] Traceback (most recent call last):
[Wed Dec 27 10:14:24.280033 2017] [:error] [pid 1646] [remote 172.16.1.22:24]   File "/usr/share/ipa/wsgi.py", line 51, in application
[Wed Dec 27 10:14:24.280556 2017] [:error] [pid 1646] [remote 172.16.1.22:24]     return api.Backend.wsgi_dispatch(environ, start_response)
[Wed Dec 27 10:14:24.280607 2017] [:error] [pid 1646] [remote 172.16.1.22:24]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 262, in __call__
[Wed Dec 27 10:14:24.281489 2017] [:error] [pid 1646] [remote 172.16.1.22:24]     return self.route(environ, start_response)
[Wed Dec 27 10:14:24.281526 2017] [:error] [pid 1646] [remote 172.16.1.22:24]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 274, in route
[Wed Dec 27 10:14:24.281585 2017] [:error] [pid 1646] [remote 172.16.1.22:24]     return app(environ, start_response)
[Wed Dec 27 10:14:24.281643 2017] [:error] [pid 1646] [remote 172.16.1.22:24]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 929, in __call__
[Wed Dec 27 10:14:24.281680 2017] [:error] [pid 1646] [remote 172.16.1.22:24]     self.kinit(user_principal, password, ipa_ccache_name)
[Wed Dec 27 10:14:24.281708 2017] [:error] [pid 1646] [remote 172.16.1.22:24]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 965, in kinit
[Wed Dec 27 10:14:24.281736 2017] [:error] [pid 1646] [remote 172.16.1.22:24]     pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
[Wed Dec 27 10:14:24.281777 2017] [:error] [pid 1646] [remote 172.16.1.22:24]   File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 125, in kinit_armor
[Wed Dec 27 10:14:24.281972 2017] [:error] [pid 1646] [remote 172.16.1.22:24]     run(args, env=env, raiseonerr=True, capture_error=True)
[Wed Dec 27 10:14:24.282009 2017] [:error] [pid 1646] [remote 172.16.1.22:24]   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 512, in run
[Wed Dec 27 10:14:24.282865 2017] [:error] [pid 1646] [remote 172.16.1.22:24]     raise CalledProcessError(p.returncode, arg_string, str(output))
[Wed Dec 27 10:14:24.283031 2017] [:error] [pid 1646] [remote 172.16.1.22:24] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_1646 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1


Packages installed are:
[root@ipa ~]# rpm -qa | grep -i selinux
libselinux-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7_4.7.noarch
libselinux-utils-2.5-11.el7.x86_64
selinux-policy-targeted-3.13.1-166.el7_4.7.noarch
libselinux-python-2.5-11.el7.x86_64

[root@ipa ~]# rpm -qa | grep -i ipa
python-ipaddress-1.0.16-2.el7.noarch
python-libipa_hbac-1.15.2-50.el7_4.8.x86_64
ipa-common-4.5.0-22.el7_4.noarch
ipa-client-common-4.5.0-22.el7_4.noarch
libipa_hbac-1.15.2-50.el7_4.8.x86_64
sssd-ipa-1.15.2-50.el7_4.8.x86_64
python2-ipalib-4.5.0-22.el7_4.noarch
python2-ipaserver-4.5.0-22.el7_4.noarch
ipa-server-4.5.0-22.el7_4.x86_64
ipa-server-common-4.5.0-22.el7_4.noarch
python-iniparse-0.4-9.el7.noarch
python2-ipaclient-4.5.0-22.el7_4.noarch
ipa-client-4.5.0-22.el7_4.x86_64

Comment 19 Lukas Vrabec 2018-01-15 10:19:54 UTC

If SELinux is in permissive domain and you have any troubles with service (in this case with IPA), it's not SELinux issue because in permissive mode security policy is not enforced, just logged into audit log. 

Lukas.

Comment 20 Sebastián Greco 2018-01-15 11:42:10 UTC

Find out that the hour was bad (1 hour behind). After modifying the hour manually fixed the issue and I can now log in.

Thanks for your help!

Note You need to log in before you can comment on or make changes to this bug.