Bug 1870300
| Summary: | SELinux prevents saslauthd from creating a kerberos reply cache file | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Kaleem <ksiddiqu> | ||||
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 8.3 | CC: | fcami, lvrabec, mmalik, pasik, plautrba, rcritten, ssekidde | ||||
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged | ||||
| Target Release: | 8.3 | Flags: | pm-rhel:
mirror+
|
||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2020-11-04 01:57:16 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
These are two different AVCs. The one that is blocking the tests is most probably the saslauthd one and is not part of FreeIPA. For reference, the test lives at: https://github.com/freeipa/freeipa/blob/master/ipatests/test_integration/test_epn.py This AVC was previously reported: https://bugzilla.redhat.com/show_bug.cgi?id=1857253 Kaleem, could you launch the test again with the packages from the errata listed at: https://bugzilla.redhat.com/show_bug.cgi?id=1848953 https://errata.devel.redhat.com/advisory/55059 The second AVC is certmonger's and I could not find a match. Rob, is that one known to you? The certmonger AVC is new. I think it is related to using the -O <owner> option in the ipa-getcert call. The resulting cert/key will be chown'd to the user. Kaleem, could you please file a separate bug for the certmonger AVC? https://bugzilla.redhat.com/show_bug.cgi?id=1848953#c45 is now VERIFIED. Kaleem, would you be able to launch the test again with the new packages so that we check everything works as expected? (In reply to François Cami from comment #5) > https://bugzilla.redhat.com/show_bug.cgi?id=1848953#c45 is now VERIFIED. > Kaleem, would you be able to launch the test again with the new packages so > that we check everything works as expected? Tests were executed with mentioned selinux-policy version and these are not same avc seen as in there, yes target is same. bug https://bugzilla.redhat.com/show_bug.cgi?id=1848953 was for ssh/smbd comm but here we it for saslauthd as well which is not fixed. https://bugzilla.redhat.com/show_bug.cgi?id=1857253 was identical to the current issue. https://bugzilla.redhat.com/show_bug.cgi?id=1857253 was closed as DUPLICATE of https://bugzilla.redhat.com/show_bug.cgi?id=1848953 This is why I referenced https://bugzilla.redhat.com/show_bug.cgi?id=1848953 as it is the only bug of the two to have the errata. Note bz#1857253 is not identical - it was about writing to an existing reply cache; in this bz, the file is to be created instead. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4528 |
Created attachment 1711918 [details] test run with output. Description of problem: Following two set of avc denial seen during execution of ipa epn tests . For tests test_EPN_authenticated, test_EPN_template , test_mailtest, test_EPN_starttls , test_EPN_ssl type=AVC msg=audit(1597851507.667:2293): avc: denied { create } for pid=29391 comm="saslauthd" name="krb5_0.rcache2" scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0 For tests test_EPN_starttls, test_EPN_ssl following is also seen type=AVC msg=audit(1597851527.271:2658): avc: denied { fowner } for pid=33471 comm="certmonger" capability=3 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=capability permissive=0 Version-Release number of selected component (if applicable): selinux-policy-3.14.3-52.el8.noarch How reproducible: Always Steps to Reproduce: 1. Running the ipa epn tests Actual results: 5 out of 21 tests failed because of avc denial mentioned above Expected results: no avc denial should be there. Additional info: (1)All tests pass in permissive mode (2)Please find the attached test run with output (reported.html)