Bug 1754189 - SELinux is preventing /usr/bin/python3.8 from using the dac_override capability
Summary: SELinux is preventing /usr/bin/python3.8 from using the dac_override capability
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: freeipa
Version: 31
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: IPA Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-21 15:30 UTC by Lukas Slebodnik
Modified: 2019-10-28 01:39 UTC (History)
14 users (show)

Fixed In Version: freeipa-4.8.1-4.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-28 01:39:12 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Lukas Slebodnik 2019-09-21 15:30:45 UTC 
*****  Plugin dac_override (91.4 confidence) suggests   **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that python3.8 should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ipa-custodia-dm' --raw | audit2allow -M my-ipacustodiadm
# semodule -X 300 -i my-ipacustodiadm.pp


Additional Information:
Source Context                system_u:system_r:ipa_custodia_t:s0
Target Context                system_u:system_r:ipa_custodia_t:s0
Target Objects                /root/.ipa [ capability ]
Source                        ipa-custodia-dm
Source Path                   /usr/bin/python3.8
Port                          <Unknown>
Host                          kvm-02-guest17.testrelm.test
Source RPM Packages           python3-3.8.0~b4-1.fc32.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.5-5.fc32.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Platform                      Linux host.example.com
                              5.4.0-0.rc0.git4.1.fc32.x86_64 #1 SMP Fri Sep 20
                              19:05:59 UTC 2019 x86_64 x86_64
Alert Count                   1
First Seen                    2019-09-21 11:08:02 EDT
Last Seen                     2019-09-21 11:08:02 EDT
Local ID                      ad455b5a-f9ad-4dfc-96e3-854a5458377a

Raw Audit Messages
type=AVC msg=audit(1569078482.357:613): avc:  denied  { dac_override } for  pid=30078 comm="ipa-custodia-dm" capability=1  scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=capability permissive=0


type=SYSCALL msg=audit(1569078482.357:613): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=7f24551bc950 a1=1ff a2=0 a3=7fff66b48737 items=2 ppid=30077 pid=30078 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ipa-custodia-dm exe=/usr/bin/python3.8 subj=system_u:system_r:ipa_custodia_t:s0 key=(null)

type=CWD msg=audit(1569078482.357:613): cwd=/

type=PATH msg=audit(1569078482.357:613): item=0 name=/root/ inode=16797825 dev=fd:00 mode=040550 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

type=PATH msg=audit(1569078482.357:613): item=1 name=/root/.ipa nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Hash: ipa-custodia-dm,ipa_custodia_t,ipa_custodia_t,capability,dac_override
Comment 1 Lukas Slebodnik 2019-09-21 15:32:24 UTC 
Actually, that's bug in freeIPA
Daemons should avoid creating anything in /root
Comment 2 Lukas Slebodnik 2019-10-16 09:59:18 UTC 
Any progress here?
Comment 3 Alexander Bokovoy 2019-10-16 10:19:18 UTC 
Yes, fixed upstream in 
commit 90f72324549f2bceba3e051efb2a1b43c467ff8a
Author: Christian Heimes <cheimes>
Date:   Mon Sep 23 18:23:04 2019 +0200

    Don't create log files from help scripts
    
    Helper scripts now use api.bootstrap(log=None) to avoid the creation of
    log files. Helper scripts are typically executed from daemons which
    perform their own logging. The helpers still log to stderr/stdout.
    
    This also gets rid of some SELinux AVCs when the script tries to write
    to /root/.ipa/.
    
    Fixes: https://pagure.io/freeipa/issue/8075
    Signed-off-by: Christian Heimes <cheimes>
    Reviewed-By: Alexander Bokovoy <abokovoy>
    Reviewed-By: Rob Crittenden <rcritten>

I'm planning to do an update in Fedora this week.
Comment 4 Lukas Slebodnik 2019-10-16 15:42:53 UTC 
It is super cool that it is fixed in upstream almost a month ago but that does not help in rawhide.

Any ETA for backport/new-release?
Comment 5 Alexander Bokovoy 2019-10-16 16:46:16 UTC 
Liukas, I already commented on "when".
Comment 6 Lukas Slebodnik 2019-10-17 11:10:03 UTC 
(In reply to Alexander Bokovoy from comment #5)
> Liukas, I already commented on "when".

My brain consider that to be par to of commit message.
Please accept my apologize. and sorry for unnecessary needinfo.
Comment 7 Fedora Update System 2019-10-20 10:47:23 UTC 
FEDORA-2019-2bfacfd6d4 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-2bfacfd6d4
Comment 8 Fedora Update System 2019-10-20 17:13:37 UTC 
freeipa-4.8.1-4.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-2bfacfd6d4
Comment 9 Fedora Update System 2019-10-28 01:39:12 UTC 
freeipa-4.8.1-4.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.