Description of problem: SELinux is preventing ipa-custodia from 'create' accesses on the netlink_route_socket labeled ipa_custodia_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ipa-custodia should be allowed create access on netlink_route_socket labeled ipa_custodia_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ipa-custodia' --raw | audit2allow -M my-ipacustodia # semodule -X 300 -i my-ipacustodia.pp Additional Information: Source Context system_u:system_r:ipa_custodia_t:s0 Target Context system_u:system_r:ipa_custodia_t:s0 Target Objects Unknown [ netlink_route_socket ] Source ipa-custodia Source Path ipa-custodia Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.4-44.fc31.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.4.14-200.fc31.x86_64 #1 SMP Thu Jan 23 13:06:12 UTC 2020 x86_64 x86_64 Alert Count 42 First Seen 2019-12-18 17:47:34 GMT Last Seen 2020-01-31 21:46:10 GMT Local ID 14f2f3a9-da1f-4e70-8dfd-2aaa5b11ce0d Raw Audit Messages type=AVC msg=audit(1580507170.393:210): avc: denied { create } for pid=1495 comm="ipa-custodia" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=netlink_route_socket permissive=0 Hash: ipa-custodia,ipa_custodia_t,ipa_custodia_t,netlink_route_socket,create Version-Release number of selected component: selinux-policy-3.14.4-44.fc31.noarch Additional info: component: selinux-policy reporter: libreport-2.11.3 hashmarkername: setroubleshoot kernel: 5.4.14-200.fc31.x86_64 type: libreport
Hi James, Thank you for reporting the issue. Please help us with isolating the issue answering the following questions: - Have you made any changes to your configuration? - Have you noticed if it started to happen with the freeipa package update? - Did it happen at some particular circumstance, like time or action? - Are there any other clear steps to reproduce this issue? - Apart from the denials, did you observe any drawback in functionality? - Did it happen together with bz#1797100?
(In reply to Zdenek Pytela from comment #1) > Hi James, > > Thank you for reporting the issue. Please help us with isolating the issue > answering the following questions: > > - Have you made any changes to your configuration? > - Have you noticed if it started to happen with the freeipa package update? > - Did it happen at some particular circumstance, like time or action? > - Are there any other clear steps to reproduce this issue? > - Apart from the denials, did you observe any drawback in functionality? > - Did it happen together with bz#1797100? This FreeIPA installation has been going for a while probably dates back a few years now. I think these SELinux denials started around the upgrade from F30 to F31; I can't remember what change in freeipa that was, I'll have to dig deeper into the logs. Following that system upgrade, FreeIPA restarted with no apparent loss of functionality hence I didn't do an autorelabel. (In the past things like the web interface have fallen over after upgrade requiring a relabel, but not this time.) The denial happens whenever the machines restarts. Persists after a forced autorelabel. Current version: freeipa-server-4.8.4-2.fc31.x86_64 I think it did start with bz#1797100. I wish I could provide more detailed info than this; as mentioned this hasn't caused any apparent loss of functionality so I just left it, but I thought it best to report this anyway.
James, Thank you for your reply. There does not seem to be any issue with allowing this particular permissions, I was just curious if it happens right after installation or rather with some particular configuration change, or if it is a result of updating ipa or a library it uses which could possibly help with other issues like this. I've submitted a PR to address the issue: https://github.com/fedora-selinux/selinux-policy-contrib/pull/199
commit b1751347f4af99de8c88630e2f8d0a352d7f5937 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Zdenek Pytela <zpytela> Date: Wed Feb 5 10:21:27 2020 +0100 Allow ipa_custodia_t create and use netlink_route_socket sockets. Resolves: rhbz#1797102
FEDORA-2020-07bb9bdfaa has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-07bb9bdfaa
selinux-policy-3.14.4-47.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-07bb9bdfaa
selinux-policy-3.14.4-47.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.