1853263 – ipa-selinux package missing

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1853263 - ipa-selinux package missing

Summary: ipa-selinux package missing

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	8.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	8.3
Assignee:	Thomas Woerner
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-07-02 09:52 UTC by Kaleem
Modified:	2020-11-04 02:51 UTC (History)
CC List:	10 users (show)
Fixed In Version:	ipa-4.8.7-5
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-04 02:51:20 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Fedora Pagure	freeipa c e881e35783bb250bbdbc575cee4df2af6bc2eb88	None	None	None	2020-07-02 11:40:17 UTC
Fedora Pagure	freeipa issue 8283	None	None	None	2020-07-02 11:40:17 UTC
Red Hat Product Errata	RHSA-2020:4670	None	None	None	2020-11-04 02:51:37 UTC

Description Kaleem 2020-07-02 09:52:39 UTC

Description of problem:

Following avc denial seen during ipa dnssec-master install

Jul  2 03:28:08 master systemd[1]: Started IPA key daemon.
Jul  2 03:28:10 master ipa-dnskeysyncd[40704]: ipa-dnskeysyncd: INFO     LDAP bind...
Jul  2 03:28:10 master ipa-dnskeysyncd[40704]: ipa-dnskeysyncd: INFO     Commencing sync process
Jul  2 03:28:10 master ipa-dnskeysyncd[40704]: ipaserver.dnssec.keysyncer: INFO     Initial LDAP dump is done, sychronizing with ODS and BIND
Jul  2 03:28:10 master platform-python[40704]: detected unhandled Python exception in '/usr/libexec/ipa/ipa-dnskeysyncd'
Jul  2 03:28:10 master ipa-dnskeysyncd[40704]: Traceback (most recent call last):
Jul  2 03:28:10 master ipa-dnskeysyncd[40704]:  File "/usr/libexec/ipa/ipa-dnskeysyncd", line 116, in <module>
Jul  2 03:28:10 master ipa-dnskeysyncd[40704]:    while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
Jul  2 03:28:10 master ipa-dnskeysyncd[40704]:  File "/usr/lib64/python3.6/site-packages/ldap/syncrepl.py", line 457, in syncrepl_poll
Jul  2 03:28:10 master ipa-dnskeysyncd[40704]:    self.syncrepl_refreshdone()
Jul  2 03:28:10 master ipa-dnskeysyncd[40704]:  File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/keysyncer.py", line 125, in syncrepl_refreshdone
Jul  2 03:28:10 master ipa-dnskeysyncd[40704]:    self.ods_sync()
Jul  2 03:28:10 master ipa-dnskeysyncd[40704]:  File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/keysyncer.py", line 183, in ods_sync
Jul  2 03:28:10 master ipa-dnskeysyncd[40704]:    self.odsmgr.sync()
Jul  2 03:28:10 master ipa-dnskeysyncd[40704]:  File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/odsmgr.py", line 221, in sync
Jul  2 03:28:10 master ipa-dnskeysyncd[40704]:    zl_ods = self.get_ods_zonelist()
Jul  2 03:28:10 master ipa-dnskeysyncd[40704]:  File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/odsmgr.py", line 143, in get_ods_zonelist
Jul  2 03:28:10 master ipa-dnskeysyncd[40704]:    stdout = self.ksmutil(['zonelist', 'export'])
Jul  2 03:28:10 master ipa-dnskeysyncd[40704]:  File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/odsmgr.py", line 139, in ksmutil
Jul  2 03:28:10 master ipa-dnskeysyncd[40704]:    result = tasks.run_ods_manager(params, capture_output=True)
Jul  2 03:28:10 master ipa-dnskeysyncd[40704]:  File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/_ods21.py", line 115, in run_ods_manager
Jul  2 03:28:10 master ipa-dnskeysyncd[40704]:    return ipautil.run(cmd, **kwargs)
Jul  2 03:28:10 master ipa-dnskeysyncd[40704]:  File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 598, in run
Jul  2 03:28:10 master ipa-dnskeysyncd[40704]:    p.returncode, arg_string, output_log, error_log
Jul  2 03:28:10 master ipa-dnskeysyncd[40704]: ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/sbin/ods-enforcer', 'zonelist', 'export'] returned non-zero exit status 201: 'Unable to connect to engine. connect() failed: Permission denied ("/var/run/opendnssec/enforcer.sock")\n')
Jul  2 03:28:10 master abrt-server[40710]: Deleting problem directory Python3-2020-07-02-03:28:10-40704 (dup of Python3-2020-07-02-02:00:49-32186)
Jul  2 03:28:10 master systemd[1]: ipa-dnskeysyncd.service: Main process exited, code=exited, status=1/FAILURE
Jul  2 03:28:10 master systemd[1]: ipa-dnskeysyncd.service: Failed with result 'exit-code'.
Jul  2 03:28:10 master dbus-daemon[738]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.201' (uid=0 pid=700 comm="/usr/sbin/sedispatch " label="system_u:system_r:auditd_t:s0") (using servicehelper)
Jul  2 03:28:10 master dbus-daemon[40721]: [system] Failed to reset fd limit before activating service: org.freedesktop.DBus.Error.AccessDenied: Failed to restore old fd limit: Operation not permitted
Jul  2 03:28:10 master abrt-server[40710]: /bin/sh: reporter-systemd-journal: command not found
Jul  2 03:28:11 master dbus-daemon[738]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Jul  2 03:28:11 master dbus-daemon[738]: [system] Activating service name='org.fedoraproject.SetroubleshootPrivileged' requested by ':1.858' (uid=995 pid=40721 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub" label="system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023") (using servicehelper)
Jul  2 03:28:11 master dbus-daemon[40735]: [system] Failed to reset fd limit before activating service: org.freedesktop.DBus.Error.AccessDenied: Failed to restore old fd limit: Operation not permitted
Jul  2 03:28:12 master dbus-daemon[738]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged'
Jul  2 03:28:13 master setroubleshoot[40721]: SELinux is preventing /usr/sbin/ods-enforcer from write access on the sock_file enforcer.sock. For complete SELinux messages run: sealert -l 829e84f4-20aa-4110-a104-a9200879eb95
Jul  2 03:28:13 master platform-python[40721]: SELinux is preventing /usr/sbin/ods-enforcer from write access on the sock_file enforcer.sock.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that ods-enforcer should be allowed write access on the enforcer.sock sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ods-enforcer' --raw | audit2allow -M my-odsenforcer#012# semodule -X 300 -i my-odsenforcer.pp#012
 
#============= ipa_dnskey_t ==============
allow ipa_dnskey_t opendnssec_var_run_t:sock_file write;

Version-Release number of selected component (if applicable):
[root@master ~]# rpm -q ipa-server selinux-policy
ipa-server-4.8.7-4.module+el8.3.0+7221+eedbd403.x86_64
selinux-policy-3.14.3-48.el8.noarch
[root@master ~]# 


How reproducible:
Always

Steps to Reproduce:
1. Install IPA with dns
2. Install 
3.

Actual results:
Following avc denial seen 

Expected results:
No avc denial 

Additional info:

Comment 1 Kaleem 2020-07-02 10:11:59 UTC

[root@master ~]# ausearch -c 'ods-enforcer' --raw
type=AVC msg=audit(1593669649.090:2550): avc:  denied  { write } for  pid=32221 comm="ods-enforcer" name="enforcer.sock" dev="tmpfs" ino=139006 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:opendnssec_var_run_t:s0 tclass=sock_file permissive=0
type=SYSCALL msg=audit(1593669649.090:2550): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7ffec9784380 a2=6e a3=21 items=0 ppid=32186 pid=32221 auid=4294967295 uid=989 gid=25 euid=989 suid=989 fsuid=989 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="ods-enforcer" exe="/usr/sbin/ods-enforcer" subj=system_u:system_r:ipa_dnskey_t:s0 key=(null)ARCH=x86_64 SYSCALL=connect AUID="unset" UID="ods" GID="named" EUID="ods" SUID="ods" FSUID="ods" EGID="named" SGID="named" FSGID="named"
type=PROCTITLE msg=audit(1593669649.090:2550): proctitle=2F7573722F7362696E2F6F64732D656E666F72636572007A6F6E656C697374006578706F7274

Comment 2 Christian Heimes 2020-07-02 10:19:48 UTC

IPA's SELinux policy has

optional_policy(`
        opendnssec_domtrans(ipa_dnskey_t)
        opendnssec_manage_config(ipa_dnskey_t)
        opendnssec_manage_var_files(ipa_dnskey_t)
        opendnssec_filetrans_etc_content(ipa_dnskey_t)
        opendnssec_stream_connect(ipa_dnskey_t)
')

Shouldn't opendnssec_stream_connect() allow ipa_dnskey_to connect and write to an Unix domain socket file?

On Fedora opendnssec_stream_connect() is defined as:

interface(`opendnssec_stream_connect',`
        gen_require(`
                type opendnssec_t, opendnssec_var_run_t;
        ')

        files_search_pids($1)
        stream_connect_pattern($1, opendnssec_var_run_t, opendnssec_var_run_t, opendnssec_t)
')

define(`stream_connect_pattern',`
        allow $1 $2:dir search_dir_perms;
        allow $1 $3:sock_file write_sock_file_perms;
        allow $1 $4:unix_stream_socket connectto;
')

define(`write_sock_file_perms',`{ getattr write open append }')

Comment 3 Zdenek Pytela 2020-07-02 11:26:17 UTC

Christian,

The following line:

        opendnssec_stream_connect(ipa_dnskey_t)

is not present in RHEL 8.3. It was added as a part of freeipa commit

commit e881e35783bb250bbdbc575cee4df2af6bc2eb88
Author: Christian Heimes <cheimes>
Date:   Tue Apr 21 09:39:29 2020 +0200

    Fix various OpenDNSSEC 2.1 issues

Comment 4 Christian Heimes 2020-07-02 11:40:18 UTC

The commit is in ipa 4.8.7 release but there is no ipa-selinux package on RHEL 8.3. Further more the ipa-common package does not depend on SELinux policy package:

Fedora:
# rpm -qa freeipa-common
freeipa-common-4.8.7-1.fc32.noarch
# rpm -qR freeipa-common
(freeipa-selinux if selinux-policy-targeted)
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsZstd) <= 5.4.18-1
rpmlib(RichDependencies) <= 4.12.0-1


RHEL 8.3:
# rpm -qa ipa-common
ipa-common-4.8.7-4.module+el8.3.0+7221+eedbd403.noarch
# rpm -qR ipa-common
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsXz) <= 5.2-1

Comment 5 Christian Heimes 2020-07-02 11:44:39 UTC

Thomas discovered that the check for with_selinux is wrong. 

I fixed the problem in upstream commit https://pagure.io/freeipa/c/5a3b5f3affe16efcbf93af5c1bfd95a0c7999e5b but the fix didn't get into RHEL 8 spec file.

Comment 12 errata-xmlrpc 2020-11-04 02:51:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4670

Note You need to log in before you can comment on or make changes to this bug.