Bug 1609475 - SELinux is preventing /usr/sbin/httpd from getattr access on the file /usr/lib/systemd/system/fedora-domainname.service
Summary: SELinux is preventing /usr/sbin/httpd from getattr access on the file /usr/li...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: freeipa
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: IPA Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1609476 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-07-28 09:02 UTC by Lukas Slebodnik
Modified: 2018-10-07 20:57 UTC (History)
14 users (show)

Fixed In Version: freeipa-4.7.0-3.fc28 freeipa-4.7.0-3.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-02 16:01:10 UTC
Type: Bug


Attachments (Terms of Use)

Description Lukas Slebodnik 2018-07-28 09:02:11 UTC
SELinux is preventing /usr/sbin/httpd from getattr access on the file /usr/lib/systemd/system/fedora-domainname.service.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that httpd should be allowed getattr access on the fedora-domainname.service file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -X 300 -i my-httpd.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:systemd_unit_file_t:s0
Target Objects                /usr/lib/systemd/system/fedora-domainname.service
                              [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          host.example.test
Source RPM Packages           httpd-2.4.34-3.fc28.x86_64
Target RPM Packages           initscripts-9.80-1.fc28.x86_64
Policy RPM                    selinux-policy-3.14.1-32.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host.example.test
Platform                      Linux host.example.test 4.17.9-200.fc28.x86_64 #1
                              SMP Mon Jul 23 21:41:29 UTC 2018 x86_64 x86_64
Alert Count                   12
First Seen                    2018-07-28 04:29:12 EDT
Last Seen                     2018-07-28 04:31:02 EDT
Local ID                      5e3ab204-b8c6-4aa4-a783-31a391e13031

Raw Audit Messages
type=AVC msg=audit(1532766662.725:619): avc:  denied  { getattr } for  pid=31754 comm="httpd" path="/usr/lib/systemd/system/fedora-domainname.service" dev="dm-0" ino=8738822 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1532766662.725:619): arch=x86_64 syscall=stat success=no exit=EACCES a0=7f323c4f1730 a1=7fffac0f7d00 a2=7fffac0f7d00 a3=7f323c4f1768 items=1 ppid=31744 pid=31754 auid=4294967295 uid=385 gid=385 euid=385 suid=385 fsuid=385 egid=385 sgid=385 fsgid=385 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

type=CWD msg=audit(1532766662.725:619): cwd=/

type=PATH msg=audit(1532766662.725:619): item=0 name=/usr/lib/systemd/system/fedora-domainname.service inode=8738822 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:systemd_unit_file_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

Hash: httpd,httpd_t,systemd_unit_file_t,file,getattr

Version-Release number of selected component (if applicable):
sh$ rpm -q freeipa-server selinux-policy
freeipa-server-4.7.0-1.fc28.x86_64
selinux-policy-3.14.1-36.fc28.noarch

Comment 1 Lukas Slebodnik 2018-07-28 09:05:06 UTC
I have no idea what freeIPA server tries to do but it did not happen in older version. And IMHO, it is not ideal that it happens as httpd_t. httpd_t shouls not be allowed many things. If it is really needed then there should be special SELinux boolean  httpd_ipa_something

Comment 2 Rob Crittenden 2018-07-30 02:28:52 UTC
Do you know what context this is happening? Is the installer, every time httpd starts?

Comment 3 Lukas Slebodnik 2018-07-30 07:26:37 UTC
I saw it as part of installation. I can check restarting of httpd

Comment 4 Rob Crittenden 2018-07-30 18:40:53 UTC
I've reproduced it and confirmed it appears when httpd is restarted. Still investigating why.

Comment 5 Rob Crittenden 2018-07-30 18:51:40 UTC
The name of the service that manages the NIS domainname keeps changing so the following was added to the platform code ipaplatform/fedora/services.py:

HAS_FEDORA_DOMAINNAME_SERVICE = os.path.isfile(
    "/usr/lib/systemd/system/fedora-domainname.service"
)

if HAS_FEDORA_DOMAINNAME_SERVICE:
    fedora_system_units['domainname'] = 'fedora-domainname.service'

That explains the getattr. That it fails isn't important but we should try to avoid the AVC.

Comment 6 Lukas Slebodnik 2018-07-30 19:35:13 UTC
(In reply to Rob Crittenden from comment #4)
> I've reproduced it and confirmed it appears when httpd is restarted. Still
> investigating why.

Thank you very much. I did not have a time to try 2nd case today.

Comment 7 Rob Crittenden 2018-07-30 19:37:03 UTC
*** Bug 1609476 has been marked as a duplicate of this bug. ***

Comment 8 Rob Crittenden 2018-07-30 19:38:49 UTC
I disabled the code in my install and the AVC went away. It also got ride of the ipa-dnskeysyncd AVC which had different behavior but the same root cause apparently.

Comment 9 Alexander Bokovoy 2018-08-01 07:48:56 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/7661

Comment 10 Lukas Slebodnik 2018-08-23 07:08:15 UTC
Is there an ETA for fixing this in fedora? It would be good to reduce unnecessary AVC noise?

Comment 12 Fedora Update System 2018-09-05 09:53:15 UTC
freeipa-4.7.0-3.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-16f734859d

Comment 13 Fedora Update System 2018-09-05 09:53:23 UTC
freeipa-4.7.0-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e407241b53

Comment 14 Fedora Update System 2018-09-05 21:28:02 UTC
freeipa-4.7.0-3.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-16f734859d

Comment 15 Fedora Update System 2018-09-07 00:07:26 UTC
freeipa-4.7.0-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e407241b53

Comment 16 Fedora Update System 2018-09-07 00:07:54 UTC
freeipa-4.7.0-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e407241b53

Comment 17 Jan Pazdziora 2018-10-01 08:40:45 UTC
What is the plan here? The change is in testing for 24 days ... can we move it closer to updates so that automated tests stop showing the AVC noise?

Comment 18 Rob Crittenden 2018-10-01 12:24:28 UTC
It should go to stable soon.

Comment 19 Fedora Update System 2018-10-02 16:01:10 UTC
freeipa-4.7.0-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2018-10-07 20:57:54 UTC
freeipa-4.7.0-3.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.