Bug 1730144 - AVC seen executing /usr/libexec/certmonger/ipa-submit
Summary: AVC seen executing /usr/libexec/certmonger/ipa-submit
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.1
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: 8.1
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
: 1731066 1731160 1734399 1738271 1740540 1740642 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-16 01:21 UTC by Xiyang Dong
Modified: 2019-11-05 22:12 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-05 22:12:08 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3547 None None None 2019-11-05 22:12:18 UTC

Description Xiyang Dong 2019-07-16 01:21:43 UTC
Description of problem:
AVC seen during certmonger ipa-submit

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-11.el8.noarch
ipa-server-4.8.0-1.module+el8.1.0+3577+202f0a51.x86_64.rpm
certmonger-0.79.7-3.el8.x86_64.rpm
krb5-server-1.17-7.el8.x86_64.rpm
 

How reproducible:
Always

Steps to Reproduce:
1. Running test execution http://ci-vm-10-0-148-68.hosted.upshift.rdu2.redhat.com/ipa-nightly-tier1/master/2/ipa-ctl/restraint.01/


Actual results:
Test failed with avc errors


Expected results:
Test pass

Additional info:
AVC log http://ci-vm-10-0-148-68.hosted.upshift.rdu2.redhat.com/ipa-nightly-tier1/master/2/ipa-ctl/restraint.01/recipes/1/tasks/2/results/1563226469/logs/avc.log

Comment 1 Milos Malik 2019-07-16 05:38:02 UTC
Following SELinux denial appeared multiple times in results of the test job:
----
time->Mon Jul 15 17:45:27 2019
type=PROCTITLE msg=audit(1563227127.635:1816): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D45002F7573722F6C6962657865632F6970612F6970612D646E736B657973796E6364
type=PATH msg=audit(1563227127.635:1816): item=0 name="/var/kerberos/krb5/user/991/client.keytab" nametype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1563227127.635:1816): cwd="/"
type=SYSCALL msg=audit(1563227127.635:1816): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55b84686cdd0 a2=0 a3=0 items=1 ppid=1 pid=12055 auid=4294967295 uid=991 gid=25 euid=991 suid=991 fsuid=991 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="ipa-dnskeysyncd" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:ipa_dnskey_t:s0 key=(null)
type=AVC msg=audit(1563227127.635:1816): avc:  denied  { search } for  pid=12055 comm="ipa-dnskeysyncd" name="krb5" dev="vda1" ino=327195 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
----

Comment 3 Lukas Vrabec 2019-07-18 11:30:10 UTC
*** Bug 1731066 has been marked as a duplicate of this bug. ***

Comment 4 Lukas Vrabec 2019-07-18 15:51:48 UTC
*** Bug 1731160 has been marked as a duplicate of this bug. ***

Comment 5 Kaleem 2019-07-25 12:02:51 UTC
Lukas,

There are some additional avc denial in closed duplicate bug https://bugzilla.redhat.com/show_bug.cgi?id=1731160#c0
Please have a look at those too.

Comment 6 Lukas Vrabec 2019-07-25 12:36:06 UTC
@Kaleem, 

These are same SELinux denials.

Comment 8 Kaleem 2019-07-30 11:10:37 UTC
resetting the needinfo to Alexander.

Comment 9 Alexander Bokovoy 2019-07-30 12:15:50 UTC
ipa_dnskey_t context is using Kerberos client keytab and has to have access to its own keytab. This is OK.

Comment 10 Lukas Vrabec 2019-07-30 13:04:33 UTC
*** Bug 1734399 has been marked as a duplicate of this bug. ***

Comment 13 Thomas Woerner 2019-08-09 06:45:43 UTC
We have a new bug using selinux-policy-3.14.3-13.el8.noarch that seems to be related to this one:

https://bugzilla.redhat.com/show_bug.cgi?id=1738271

Comment 14 Lukas Vrabec 2019-08-09 13:02:21 UTC
*** Bug 1738271 has been marked as a duplicate of this bug. ***

Comment 15 Lukas Vrabec 2019-08-09 13:40:09 UTC
commit 6ad5267f708da377916e466babc13865c9ebdb16 (HEAD -> rhel8.1-contrib, origin/rhel8.1-contrib)
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Fri Aug 9 15:38:45 2019 +0200

    Allow ipa_dnskey_t domain to read kerberos keytab
    Resolves: rhbz#1730144

Comment 17 Lukas Vrabec 2019-08-13 11:48:59 UTC
*** Bug 1740540 has been marked as a duplicate of this bug. ***

Comment 18 Lukas Vrabec 2019-08-13 16:51:08 UTC
*** Bug 1740642 has been marked as a duplicate of this bug. ***

Comment 22 errata-xmlrpc 2019-11-05 22:12:08 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3547


Note You need to log in before you can comment on or make changes to this bug.