Bug 1574537 - svnserve cannot contact saslauthd service
Summary: svnserve cannot contact saslauthd service
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.5
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-03 13:58 UTC by Renaud Métrich
Modified: 2018-10-30 10:04 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.13.1-199.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1574671 (view as bug list)
Environment:
Last Closed: 2018-10-30 10:03:50 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:04:28 UTC

Description Renaud Métrich 2018-05-03 13:58:54 UTC
Description of problem:

When using SASL authentication with svnserve, we can see that attempts to contact saslauthd fail with the following AVC:

# ausearch -ts recent -m avc
----
time->Thu May  3 15:48:17 2018
type=SYSCALL msg=audit(1525355297.711:173): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7ffcf3adbbc0 a2=6e a3=21 items=0 ppid=3986 pid=4009 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="svnserve" exe="/usr/bin/svnserve" subj=system_u:system_r:svnserve_t:s0 key=(null)
type=AVC msg=audit(1525355297.711:173): avc:  denied  { connectto } for  pid=4009 comm="svnserve" path="/run/saslauthd/mux" scontext=system_u:system_r:svnserve_t:s0 tcontext=system_u:system_r:saslauthd_t:s0 tclass=unix_stream_socket


This looks odd to me since there is a SELinux rule to allow that:

# sesearch -A -s svnserve_t -t saslauthd_t
Found 3 semantic av rules:
   allow domain domain : key { search link } ; 
   allow domain domain : fd use ; 
   allow daemon daemon : unix_stream_socket connectto ; 


Version-Release number of selected component (if applicable):

(RHEL7.5)
selinux-policy-3.13.1-192.el7_5.3.noarch
cyrus-sasl-2.1.26-23.el7.x86_64
subversion-1.7.14-14.el7.x86_64


How reproducible:

Always

Steps to Reproduce:
1. Install subversion and cyrus-sasl

# yum -y install subversion cyrus-sasl-*

2. Configure subversion to use SASL

# mkdir /var/svn; svnadmin create /var/svn/proj; restorecon -R /var/svn
# cat /var/svn/proj/conf/svnserve.conf
[sasl]
use-sasl = true

# cat /etc/sasl2/svn.conf 
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

3. Use svn cli

# svn list -v svn://localhost/proj --username rmetrich
Authentication realm: <svn://localhost:3690> f8e4fb61-99ed-4836-8b7f-e2255581ce72
Password for 'rmetrich': FOO (type something, we don't care)
^C


Actual results:

# ausearch -ts recent -m avc
----
time->Thu May  3 15:57:30 2018
type=SYSCALL msg=audit(1525355850.545:177): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7ffd11d77860 a2=6e a3=7ffd11d77220 items=0 ppid=4362 pid=4442 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="svnserve" exe="/usr/bin/svnserve" subj=system_u:system_r:svnserve_t:s0 key=(null)
type=AVC msg=audit(1525355850.545:177): avc:  denied  { connectto } for  pid=4442 comm="svnserve" path="/run/saslauthd/mux" scontext=system_u:system_r:svnserve_t:s0 tcontext=system_u:system_r:saslauthd_t:s0 tclass=unix_stream_socket

Comment 2 Milos Malik 2018-05-03 14:14:37 UTC
Thanks for the scenario, Renaud.

Caught in enforcing mode:
----
type=PROCTITLE msg=audit(05/03/2018 10:10:17.963:397) : proctitle=/usr/bin/svnserve --daemon --pid-file=/run/svnserve/svnserve.pid -r /var/svn 
type=PATH msg=audit(05/03/2018 10:10:17.963:397) : item=0 name=/run/saslauthd/mux inode=104850 dev=00:14 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:saslauthd_var_run_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(05/03/2018 10:10:17.963:397) :  cwd=/ 
type=SOCKADDR msg=audit(05/03/2018 10:10:17.963:397) : saddr={ fam=local path=/run/saslauthd/mux } 
type=SYSCALL msg=audit(05/03/2018 10:10:17.963:397) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7ffd14c7a810 a2=0x6e a3=0x7ffd14c7a220 items=1 ppid=10267 pid=10270 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=svnserve exe=/usr/bin/svnserve subj=system_u:system_r:svnserve_t:s0 key=(null) 
type=AVC msg=audit(05/03/2018 10:10:17.963:397) : avc:  denied  { connectto } for  pid=10270 comm=svnserve path=/run/saslauthd/mux scontext=system_u:system_r:svnserve_t:s0 tcontext=system_u:system_r:saslauthd_t:s0 tclass=unix_stream_socket
----

Caught in permissive mode:
----
type=PROCTITLE msg=audit(05/03/2018 10:11:24.145:400) : proctitle=/usr/bin/svnserve --daemon --pid-file=/run/svnserve/svnserve.pid -r /var/svn 
type=PATH msg=audit(05/03/2018 10:11:24.145:400) : item=0 name=/run/saslauthd/mux inode=104850 dev=00:14 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:saslauthd_var_run_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(05/03/2018 10:11:24.145:400) :  cwd=/ 
type=SOCKADDR msg=audit(05/03/2018 10:11:24.145:400) : saddr={ fam=local path=/run/saslauthd/mux } 
type=SYSCALL msg=audit(05/03/2018 10:11:24.145:400) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x3 a1=0x7ffd14c7a810 a2=0x6e a3=0x7ffd14c7a220 items=1 ppid=10267 pid=10276 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=svnserve exe=/usr/bin/svnserve subj=system_u:system_r:svnserve_t:s0 key=(null) 
type=AVC msg=audit(05/03/2018 10:11:24.145:400) : avc:  denied  { connectto } for  pid=10276 comm=svnserve path=/run/saslauthd/mux scontext=system_u:system_r:svnserve_t:s0 tcontext=system_u:system_r:saslauthd_t:s0 tclass=unix_stream_socket
----

Comment 3 Milos Malik 2018-05-03 15:03:02 UTC
For QE purposes:
Successful authentication via svn CLI requires following operation to be done first:
# ln -s /etc/pam.d/login /etc/pam.d/svn

Comment 8 errata-xmlrpc 2018-10-30 10:03:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111


Note You need to log in before you can comment on or make changes to this bug.