Bug 1548439 - freeIPA: AVC denials for scontext=gssproxy_t and tcontext=httpd_t
Summary: freeIPA: AVC denials for scontext=gssproxy_t and tcontext=httpd_t
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-02-23 14:25 UTC by Christian Heimes
Modified: 2018-04-17 09:49 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.14.1-18.fc28
Clone Of:
Environment:
Last Closed: 2018-03-26 22:31:31 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
All AVCs related to gssproxy (7.41 KB, text/plain)
2018-02-23 14:31 UTC, Christian Heimes
no flags Details

Description Christian Heimes 2018-02-23 14:25:59 UTC
Description of problem:
I'm getting multiple SELinux AVCs for gssproxy during installation of latest freeIPA master (4.7-dev)

Version-Release number of selected component (if applicable):
selinux-policy-3.14.1-8.fc28.noarch
freeipa-server-4.6.90.dev201802231329+git0aaee0a97-0.fc28.x86_64
gssproxy-0.8.0-1.fc28.x86_64
httpd-2.4.29-5.fc28.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Build latest freeIPA from git master
2. ipa-server-install
3.

Actual results:
type=AVC msg=audit(1519395012.557:1182): avc:  denied  { sys_ptrace } for  pid=62136 comm="gssproxy" capability=19  scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1

type=AVC msg=audit(1519395012.557:1183): avc:  denied  { read } for  pid=62136 comm="gssproxy" scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file permissive=1

type=AVC msg=audit(1519395012.557:1184): avc:  denied  { getattr } for  pid=62136 comm="gssproxy" path="/usr/sbin/httpd" dev="dm-0" ino=148624 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:httpd_exec_t:s0 tclass=file permissive=1


Expected results:
No AVC

Additional info:

Comment 1 Christian Heimes 2018-02-23 14:31:01 UTC
Created attachment 1399886 [details]
All AVCs related to gssproxy

Comment 2 Lukas Vrabec 2018-03-10 14:17:29 UTC
Christian, 

Is there any possibility that it was built with some debug flags if it from dev branch? 

Lukas.

Comment 3 Christian Heimes 2018-03-13 13:50:37 UTC
It's very well possible. I'll do another test installation by the end of the week and will update the ticket.

Comment 4 Christian Heimes 2018-03-14 14:48:31 UTC
I'm still getting AVC with

mod_auth_gssapi-1.6.0-1.fc28.x86_64
gssproxy-0.8.0-2.fc28.x86_64
selinux-policy-3.14.1-13.fc28.noarch


----
time->Wed Mar 14 15:42:11 2018
type=AVC msg=audit(1521038531.229:385): avc:  denied  { search } for  pid=6257 comm="gssproxy" name="6380" dev="proc" ino=84247 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dir permissive=1
----
time->Wed Mar 14 15:42:11 2018
type=AVC msg=audit(1521038531.229:386): avc:  denied  { getattr } for  pid=6257 comm="gssproxy" path="/proc/6380/exe" dev="proc" ino=83119 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=lnk_file permissive=1
----
time->Wed Mar 14 15:42:11 2018
type=AVC msg=audit(1521038531.229:387): avc:  denied  { read } for  pid=6257 comm="gssproxy" name="exe" dev="proc" ino=83119 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=lnk_file permissive=1
----
time->Wed Mar 14 15:42:11 2018
type=AVC msg=audit(1521038531.229:388): avc:  denied  { read } for  pid=6257 comm="gssproxy" scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file permissive=1
----
time->Wed Mar 14 15:42:11 2018
type=AVC msg=audit(1521038531.229:384): avc:  denied  { getattr } for  pid=6257 comm="gssproxy" path="/proc/6380" dev="proc" ino=84247 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dir permissive=1
----
time->Wed Mar 14 15:42:11 2018
type=AVC msg=audit(1521038531.230:389): avc:  denied  { getattr } for  pid=6257 comm="gssproxy" path="/usr/sbin/httpd" dev="dm-0" ino=172160 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:httpd_exec_t:s0 tclass=file permissive=1

Comment 5 Fedora Update System 2018-03-25 13:12:22 UTC
selinux-policy-3.14.1-17.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b8cb71b345

Comment 6 Fedora Update System 2018-03-25 20:32:59 UTC
selinux-policy-3.14.1-17.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b8cb71b345

Comment 7 Fedora Update System 2018-03-26 21:51:02 UTC
selinux-policy-3.14.1-18.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-7821b2e7c4

Comment 8 Fedora Update System 2018-03-26 22:31:31 UTC
selinux-policy-3.14.1-18.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.