1609477 – SELinux is preventing /usr/sbin/httpd from write access on the directory /etc/httpd/alias/

Bug 1609477 - SELinux is preventing /usr/sbin/httpd from write access on the directory /etc/httpd/alias/

Summary: SELinux is preventing /usr/sbin/httpd from write access on the directory /etc...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	freeipa
Sub Component:
Version:	28
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	IPA Maintainers
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-07-28 09:19 UTC by Lukas Slebodnik
Modified:	2018-10-12 20:02 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2018-10-12 20:02:36 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Lukas Slebodnik 2018-07-28 09:19:18 UTC

SELinux is preventing /usr/sbin/httpd from write access on the directory /etc/httpd/alias/.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/etc/httpd/alias/ default label should be cert_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /etc/httpd/alias/

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that httpd should be allowed write access on the  directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -X 300 -i my-httpd.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:httpd_config_t:s0
Target Objects                /etc/httpd/alias/ [ dir ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          host.example.test
Source RPM Packages           httpd-2.4.34-3.fc28.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-32.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host.example.test
Platform                      Linux host.example.test 4.17.9-200.fc28.x86_64 #1
                              SMP Mon Jul 23 21:41:29 UTC 2018 x86_64 x86_64
Alert Count                   12
First Seen                    2018-07-28 04:29:12 EDT
Last Seen                     2018-07-28 04:31:02 EDT
Local ID                      3c279d02-7842-42b0-848e-fc8fb766be4d

Raw Audit Messages
type=AVC msg=audit(1532766662.216:613): avc:  denied  { write } for  pid=31744 comm="httpd" name="alias" dev="dm-0" ino=554522 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=0


type=SYSCALL msg=audit(1532766662.216:613): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=558a0dae3ea5 a2=800c1 a3=180 items=1 ppid=1 pid=31744 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

type=CWD msg=audit(1532766662.216:613): cwd=/

type=PATH msg=audit(1532766662.216:613): item=0 name=/etc/httpd/alias/ inode=554522 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:httpd_config_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

Hash: httpd,httpd_t,httpd_config_t,dir,write

Comment 1 Lukas Slebodnik 2018-07-28 09:21:45 UTC

The directory /etc/httpd/alias/ does not exist after installation of freeIPA server related packages and it is not owned by any package. I assume it was created by freeIPA but with wrong SELinux context.

sh# rpm -qf /etc/httpd/alias/
file /etc/httpd/alias is not owned by any package

sh# ls -ldZ /etc/httpd/alias/
drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0 6 Jul 28 04:29 /etc/httpd/alias/
sh# matchpathcon /etc/httpd/alias/
/etc/httpd/alias        system_u:object_r:cert_t:s0

Comment 2 Rob Crittenden 2018-07-30 02:31:34 UTC

I assume you see this on an install?

I wonder if it is seeing if there are certs/keys to migrate.

Comment 3 Lukas Slebodnik 2018-07-30 07:25:50 UTC

It was clean installation. So I have no idea what should be migrated. You should know code better :-)

Comment 4 Alexander Bokovoy 2018-07-30 07:37:58 UTC

We need a place to store a session key used by mod_auth_gssapi. Previously we stored it in /etc/httpd/alias and it was allowed by SELinux rules. As we no longer install mod_nss, we create /etc/httpd/alias ourselves, as per ticket https://pagure.io/freeipa/issue/7529. 

However, I think we aren't restoring SELinux context on it.

The commit message for a fix of issue 7529 says:

commit 49b4a057f1b0459331bcec2c8d760627d00e4571
Author: Christian Heimes <cheimes>
Date:   Fri May 4 10:47:00 2018 +0200

    Create missing /etc/httpd/alias for ipasession.key
    
    The director /etc/httpd/alias was created by mod_nss. Since FreeIPA no
    longer depends on mod_nss, the directory is no longer created on fresh
    systems.
    
    Note: At first I wanted to move the file to /var/lib/ipa/private/ or
    /var/lib/httpd/. SELinux prevents write of httpd_t to ipa_var_lib_t. I'm
    going to move the file after a new SELinux policy is available.
    
    See: https://pagure.io/freeipa/issue/7529
    Signed-off-by: Christian Heimes <cheimes>
    Reviewed-By: Rob Crittenden <rcritten>


So first we need a new policy that allows httpd_t to write to ipa_var_lib_t to drop alias part completely.

Comment 5 Lukas Slebodnik 2018-07-30 11:31:43 UTC

(In reply to Alexander Bokovoy from comment #4)
> So first we need a new policy that allows httpd_t to write to ipa_var_lib_t
> to drop alias part completely.

NO,

ipa_var_lib_t is very general.
And it already works for for /etc/httpd/alias with right selinux context (cert_t instead of httpd_config_t). And there are already many places which has label cert_t if you do not want /etc/httpd/alias

sh# semanage fcontext -l | grep system_u:object_r:cert_t
/etc/(letsencrypt|certbot)/(live|archive)(/.*)?    all files          system_u:object_r:cert_t:s0 
/etc/docker/certs\.d(/.*)?                         all files          system_u:object_r:cert_t:s0 
/etc/httpd/alias(/.*)?                             all files          system_u:object_r:cert_t:s0 
/etc/ipa/nssdb(/.*)?                               all files          system_u:object_r:cert_t:s0 
/etc/pki(/.*)?                                     all files          system_u:object_r:cert_t:s0 
/etc/ssl(/.*)?                                     all files          system_u:object_r:cert_t:s0 
/usr/share/ca-certificates(/.*)?                   all files          system_u:object_r:cert_t:s0 
/usr/share/pki/ca-certificates(/.*)?               all files          system_u:object_r:cert_t:s0 
/usr/share/pki/ca-trust-source(/.*)?               all files          system_u:object_r:cert_t:s0 
/usr/share/ssl/certs(/.*)?                         all files          system_u:object_r:cert_t:s0 
/usr/share/ssl/private(/.*)?                       all files          system_u:object_r:cert_t:s0 
/var/lib/letsencrypt(/.*)?                         all files          system_u:object_r:cert_t:s0 
/var/named/chroot/etc/pki(/.*)?                    all files          system_u:object_r:cert_t:s0

Comment 6 Adam Williamson 2018-07-31 21:05:02 UTC

Can we have freeipa restore the context on /etc/httpd/alias when it creates it, then, for now? These AVCs show up on every deployment test, I think.

Comment 7 Lukas Slebodnik 2018-07-31 21:12:40 UTC

(In reply to Adam Williamson from comment #6)
> Can we have freeipa restore the context on /etc/httpd/alias when it creates
> it, then, for now? These AVCs show up on every deployment test, I think.

BTW, installation of master, replica and client passed for me even with dontaudit rules. But running restorecon is propee quickfix.

Comment 8 Alexander Bokovoy 2018-08-01 07:49:20 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7662

Comment 9 Rob Crittenden 2018-08-03 18:09:24 UTC

master:

    f751697 httpinstance: Restore SELinux context of session_dir /etc/httpd/alias
    354d729 ipa_restore: Restore SELinux context of template_dir /var/log/dirsrv/slapd-X

Comment 10 Lukas Slebodnik 2018-08-23 07:07:24 UTC

(In reply to Rob Crittenden from comment #9)
> master:
> 
>     f751697 httpinstance: Restore SELinux context of session_dir
> /etc/httpd/alias
>     354d729 ipa_restore: Restore SELinux context of template_dir
> /var/log/dirsrv/slapd-X

Is there an ETA for fixing this in fedora? It would be good to reduce unnecessary AVC noise?

Comment 11 Florence Blanc-Renaud 2018-10-08 08:37:15 UTC

freeipa 4.7.1 has just been released and contains the fix:
https://www.freeipa.org/page/Releases/4.7.1

Comment 12 Lukas Slebodnik 2018-10-12 18:44:08 UTC

(In reply to Florence Blanc-Renaud from comment #11)
> freeipa 4.7.1 has just been released and contains the fix:
> https://www.freeipa.org/page/Releases/4.7.1

I would say it was fixed also in freeipa-4.7.0-3.fc28

https://bodhi.fedoraproject.org/updates/FEDORA-2018-e407241b53

Just nobody added this BZ to that bodhi update.

Comment 13 Adam Williamson 2018-10-12 20:02:36 UTC

Indeed, I just checked the logs from a recent F28 FreeIPA deployment test in openQA and don't see these denials any more. Thanks.

Note You need to log in before you can comment on or make changes to this bug.