Bug 1690444 - Add policy for cockpit-cert-session
Summary: Add policy for cockpit-cert-session
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 29
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: 1678465
TreeView+ depends on / blocked
Reported: 2019-03-19 13:46 UTC by Martin Pitt
Modified: 2019-04-11 08:29 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.14.2-53.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-04-08 01:52:56 UTC
Type: Bug

Attachments (Terms of Use)

Description Martin Pitt 2019-03-19 13:46:59 UTC
Description of problem: As part of adding smart card authentication support to Cockpit, I'm adding a new /usr/libexec/cockpit-cert-session auth command to Cockpit. This is similar to the existing /usr/libexec/cockpit-session, except that it maps a client-side TLS certificate to a user name via sssd [1] instead of the user/password PAM auth.

By and large this needs the same cockpit_session_t privileges as cockpit-session, except that in addition it also needs to be allowed to talk to sssd on D-Bus.

So for the new binary I did

    semanage fcontext -a /usr/libexec/cockpit-cert-session -t cockpit_session_exec_t
    restorecon /usr/libexec/cockpit-cert-session

and to allow D-Bus with sssd I did

   cat <<EOF > /tmp/local.te
module local 1.0;
require { type cockpit_session_t; type sssd_t; class dbus send_msg; }
allow cockpit_session_t sssd_t:dbus send_msg;
allow sssd_t cockpit_session_t:dbus send_msg;

    checkmodule -M -m -o /tmp/local.mod /tmp/local.te
    semodule_package -o /tmp/local.pp -m /tmp/local.mod
    semodule -i /tmp/local.pp

With these, everything works fine in enforcing mode, without any (new) avc denials.

[1] https://www.freeipa.org/page/V4/User_Certificates

Version-Release number of selected component (if applicable):


Comment 1 Zdenek Pytela 2019-03-19 14:13:53 UTC
PR created:

Comment 2 Zdenek Pytela 2019-03-19 14:58:18 UTC

When is this feature expected to be added - is F30 as the target release enough?

Comment 3 Martin Pitt 2019-03-19 16:14:13 UTC

Yes, absolutely. We'll also need it in RHEL downstream at some point, but I'll clone this bug/file it once it becomes relevant. I'm filing this early to avoid a rush on any side.

Is the information enough here, or should I try and translate the /tmp/local.te into a PR for selinux-policy?


Comment 4 Zdenek Pytela 2019-03-19 16:23:54 UTC

I created the PR based on your request stating it is enough for the feature to be working, just using existing interface. Feel free to review or try out.

Comment 5 Martin Pitt 2019-03-19 16:39:52 UTC
Hang on, on Fedora 29 (not on RHEL 8 or anywhere else) I get these two violations. They don't break the operation, but still cause unexpected log errors:

audit: type=1400 audit(1553006049.704:621): avc:  denied  { map } for  pid=8208 comm="pool" path="/etc/pki/ca-trust/source/README" dev="dm-0" ino=8538086 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0
audit: type=1400 audit(1553006049.710:622): avc:  denied  { map } for  pid=8208 comm="pool" path="/etc/pki/ca-trust/source/ipa.p11-kit" dev="dm-0" ino=9401424 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0

I'm not sure what "pool" is (there is no such binary), but I'm fairly sure that this is cockpit's web server trying to validate the TLS certificate, through glib-networking → gnutls.

I'll play around with that a bit and see how to extend the policy to allow this. At this point I suppose it's better to follow up on the PR. Thank you!

Comment 6 Zdenek Pytela 2019-03-22 10:06:47 UTC
Base policy PR for miscfiles_dontaudit_map_generic_certs interface:

Comment 7 Fedora Update System 2019-04-05 17:27:50 UTC
selinux-policy-3.14.2-53.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-bf377d92c7

Comment 8 Fedora Update System 2019-04-06 20:51:10 UTC
selinux-policy-3.14.2-53.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-bf377d92c7

Comment 9 Fedora Update System 2019-04-08 01:52:56 UTC
selinux-policy-3.14.2-53.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Martin Pitt 2019-04-11 08:29:26 UTC
For the record, these changes are *not* present in F29, and also not mentioned in the selinux-policy-3.14.2-53.fc29 changelog. I assume the bug should have been closed in F30 only?

Note You need to log in before you can comment on or make changes to this bug.