Bug 1483170 - 'map' denial for comm 'ns-slapd' path '/run/dirsrv/slapd-DOMAIN-LOCAL.stats' (breaks FreeIPA deployment)
Summary: 'map' denial for comm 'ns-slapd' path '/run/dirsrv/slapd-DOMAIN-LOCAL.stats' ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 27
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard: AcceptedBlocker
Depends On:
Blocks: F27BetaBlocker 1481454
TreeView+ depends on / blocked
 
Reported: 2017-08-18 23:16 UTC by Adam Williamson
Modified: 2017-09-12 22:46 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-276.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-09-12 22:46:15 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Adam Williamson 2017-08-18 23:16:46 UTC
Getting this SELinux denial during openQA FreeIPA server deployment tests:

Aug 17 22:24:53 ipa001.domain.local audit[4292]: AVC avc:  denied  { map } for  pid=4292 comm="ns-slapd" path="/run/dirsrv/slapd-DOMAIN-LOCAL.stats" dev="tmpfs" ino=33024 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_run_t:s0 tclass=file permissive=0

I believe it's preventing the deployment from working, as it fails with this error:

[17/08/18:01:34:53] - [Setup] Info Could not start the directory server using command '/bin/systemctl start dirsrv'.  The last line from the error log was '[18/Aug/2017:01:24:53.192492479 -0400] - EMERG - snmp collator - Failed to open stats file (/var/run/dirsrv/slapd-DOMAIN-LOCAL.stats) (error 1): Operation not permitted.

Note that the DOMAIN-LOCAL part of the file name is variable (it's based on the domain's name).

Proposing as an F27 Beta blocker as this prevents FreeIPA deployment, which violates Alpha criterion "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried." - https://fedoraproject.org/wiki/Fedora_27_Alpha_Release_Criteria#Role_definition_requirements - since the domain controller role is a release-blocking role.

Comment 1 Adam Williamson 2017-08-18 23:18:08 UTC
cc'ing freeipa folks for reference (just so you know what's busted; I don't think you have anything to fix here).

Comment 2 Kamil Páral 2017-08-21 17:21:27 UTC
Discussed during blocker review [1]:

AcceptedBlocker (Beta) - breaks deployment of FreeIPA servers, clear violation of Alpha criterion "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started..." for the domain controller role

[1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-08-21/

Comment 3 Adam Williamson 2017-08-23 21:38:55 UTC
3.13.1-273 does seem to fix this exact denial, but 389-ds still fails to start (and FreeIPA deployment fails) due to another, similar denial:

Aug 23 12:42:11 ipa001.domain.local audit[4319]: AVC avc:  denied  { map } for  pid=4319 comm="ns-slapd" path="/dev/shm/QSql25" dev="tmpfs" ino=32992 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=0

should I file a new bug for that?

Comment 4 Lukas Vrabec 2017-08-26 10:10:13 UTC
No, I'll fix it.

Comment 5 Adam Williamson 2017-09-12 02:03:48 UTC
Once again, that denial is fixed in -276 (well, I checked with -280), but there are still some denials that prevent deployment working in -280:

Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc:  denied  { write } for  pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0
Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc:  denied  { write } for  pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0
Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc:  denied  { write } for  pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0
Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc:  denied  { link } for  pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0

I have also mentioned this in https://bugzilla.redhat.com/show_bug.cgi?id=1488404 .

Comment 6 Lukas Slebodnik 2017-09-12 08:08:31 UTC
(In reply to Adam Williamson from comment #5)
> Once again, that denial is fixed in -276 (well, I checked with -280), but
> there are still some denials that prevent deployment working in -280:
> 
> Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc:  denied  { write }
> for  pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129
> scontext=system_u:system_r:dirsrv_t:s0
> tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0
> Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc:  denied  { write }
> for  pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129
> scontext=system_u:system_r:dirsrv_t:s0
> tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0
> Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc:  denied  { write }
> for  pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129
> scontext=system_u:system_r:dirsrv_t:s0
> tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0
> Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc:  denied  { link }
> for  pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129
> scontext=system_u:system_r:dirsrv_t:s0
> tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0
> 

Lukas,
I hope you didn't try to allow these AVCs because it is bug in ipa-server-install script BZ1490762

Comment 7 Alexander Bokovoy 2017-09-12 21:19:32 UTC
I have fixed it in https://github.com/freeipa/freeipa/pull/1062

So we either use this bug to deliver freeipa update with it or add bugzilla 1490762 to the blockers list.

Comment 8 Adam Williamson 2017-09-12 22:46:15 UTC
We've made 1490762 an AcceptedBlocker, please send out a FreeIPA update marked as fixing it. thanks!

Since there's only the rolekit_tmp denials and one other denial for systemd during decommissioning left in current F27 composes, I'm going to close this bug now.


Note You need to log in before you can comment on or make changes to this bug.