RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1998129 - AVC denied { read } comm="ipa-custodia" on aarch64 during installation of ipa-server
Summary: AVC denied { read } comm="ipa-custodia" on aarch64 during installation of ip...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.5
Hardware: aarch64
OS: Unspecified
unspecified
low
Target Milestone: rc
: ---
Assignee: Florence Blanc-Renaud
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks: 2002718
TreeView+ depends on / blocked
 
Reported: 2021-08-26 13:07 UTC by Filip Dvorak
Modified: 2021-11-10 00:01 UTC (History)
10 users (show)

Fixed In Version: idm-client-8050020210913151510.de73ecb2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2002718 (view as bug list)
Environment:
Last Closed: 2021-11-09 18:29:52 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-6920 0 None None None 2021-09-24 11:36:17 UTC
Red Hat Issue Tracker RHELPLAN-95307 0 None None None 2021-08-26 13:08:07 UTC
Red Hat Product Errata RHBA-2021:4230 0 None None None 2021-11-09 18:30:16 UTC

Description Filip Dvorak 2021-08-26 13:07:21 UTC 
Description of problem:
There are AVC messages during the installation of ipa-server on RHEL8.5 (FIPS mode enabled).

Version-Release number of selected component (if applicable):
RHEL-8.5.0-20210825.n.0 (aarch64)
ipa-server 4.9.6-4.module+el8.5.0+11912+1b4496cf

Steps to Reproduce:
fips-mode-setup --enable 
reboot
hostnamectl set-hostname master.test.ipa
dnf module reset idm -y
dnf module enable -y idm:DL1/dns
dnf install -y ipa-server-dns
systemctl stop firewalld
ipa-server-install -a Secret123 -p Secret123 --setup-dns --auto-forwarders -n test.ipa -U -r TEST.IPA


Actual results:
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-3.14.3-77.el8.noarch
----
time->Thu Aug 26 08:31:54 2021
type=PROCTITLE msg=audit(1629981114.133:381): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D49002F7573722F6C6962657865632F6970612F6970612D637573746F646961002F6574632F6970612F637573746F6469612F637573746F6469612E636F6E66
type=SYSCALL msg=audit(1629981114.133:381): arch=c00000b7 syscall=56 success=no exit=-13 a0=ffffffffffffff9c a1=ffffb890d4a0 a2=0 a3=0 items=0 ppid=1 pid=19933 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa-custodia" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:ipa_custodia_t:s0 key=(null)
type=AVC msg=audit(1629981114.133:381): avc:  denied  { read } for  pid=19933 comm="ipa-custodia" name="cpuinfo" dev="proc" ino=4026531923 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0
----
time->Thu Aug 26 08:38:29 2021
type=PROCTITLE msg=audit(1629981509.011:585): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D49002F7573722F6C6962657865632F6970612F6970612D637573746F646961002F6574632F6970612F637573746F6469612F637573746F6469612E636F6E66
type=SYSCALL msg=audit(1629981509.011:585): arch=c00000b7 syscall=56 success=no exit=-13 a0=ffffffffffffff9c a1=ffff8ef9d4a0 a2=0 a3=0 items=0 ppid=1 pid=24131 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa-custodia" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:ipa_custodia_t:s0 key=(null)
type=AVC msg=audit(1629981509.011:585): avc:  denied  { read } for  pid=24131 comm="ipa-custodia" name="cpuinfo" dev="proc" ino=4026531923 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0

Expected results:
No AVC messages.
Comment 1 Zdenek Pytela 2021-08-26 19:13:09 UTC 
ipa manages their own policy, switching component
Comment 2 Florence Blanc-Renaud 2021-08-30 16:25:21 UTC 
This issue is quite puzzling as it can be reproduced only on aarch64 architecture.
On x86_64 + FIPS, I couldn't reproduce with the same steps.

# ls -lZ /proc/cpuinfo 
-r--r--r--. 1 root root system_u:object_r:proc_t:s0 0 Aug 30 07:25 /proc/cpuinfo
# ps -efZ | grep custodia
system_u:system_r:ipa_custodia_t:s0 root    2309       1  0 07:29 ?        00:00:01 /usr/libexec/platform-python -I /usr/libexec/ipa/ipa-custodia /etc/ipa/custodia/custodia.conf


Running strace /usr/libexec/platform-python -I /usr/libexec/ipa/ipa-custodia /etc/ipa/custodia/custodia.conf
shows that the call reading /proc/cpuinfo is surrounded by calls trying to read /etc/gcrypt/fips_enabled, /etc/gcrypt/hwf.deny or /etc/gcrypt/random.conf. So it points in the direction of something related to gcrypt.

gcrypt manual (https://gnupg.org/documentation/manuals/gcrypt/Configuration.html) lists /proc/cpuinfo as a config file used on ARM architecture, this may explain why the issue happens only with aarch64:

----- 8< -----
/proc/cpuinfo
/proc/self/auxv
    On Linux running on the ARM architecture, these files are used to read hardware capabilities of the CPU.
----- >8 -----

Switching to permissive mode, audit2allow produces the following:
# audit2allow -a



#============= ipa_custodia_t ==============
allow ipa_custodia_t proc_t:file { getattr open read };


But allowing full access to /proc seems excessive. The interface kernel_read_system_state should be enough:
########################################
## <summary>
##      Allows caller to read system state information in /proc.
## </summary>
## <desc>
##      <p>
##      Allow the specified domain to read general system
##      state information from the proc filesystem (/proc).
##      </p>
##      <p>
##      Generally it should be safe to allow this access.  Some
##      example files that can be read based on this interface:
##      </p>
##      <ul>
##              <li>/proc/cpuinfo</li>
##              <li>/proc/meminfo</li>
##              <li>/proc/uptime</li>
##      </ul>
##      <p>
##      This does not allow access to sysctl entries (/proc/sys/*)
##      nor process state information (/proc/pid).
##      </p>
## </desc>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
## <infoflow type="read" weight="10"/>
## <rolecap/>
#
Comment 3 Florence Blanc-Renaud 2021-08-30 17:11:57 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/8972
Comment 4 Florence Blanc-Renaud 2021-08-31 13:00:07 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/b5f692c167b3f9960455518a2831d4e7dc7f0302
Comment 5 Florence Blanc-Renaud 2021-08-31 14:50:55 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/07e2bf732f54f936cccc4e0c7b468d77f97e911a
Comment 13 Mohammad Rizwan 2021-09-24 12:13:23 UTC 
version:
ipa-server-4.9.6-6.module+el8.5.0+12660+88e16a2c.aarch64
ipa-selinux-4.9.6-6.module+el8.5.0+12660+88e16a2c.noarch

steps:
1. enable fips mode on aarch64 machine
2. install ipa-server
3. check for avc for ipa-custodia

Actual result:

[root@master ~]# fips-mode-setup --check
FIPS mode is enabled.
[root@master ~]# 
[root@master ~]# ausearch -m avc
----
time->Fri Sep 24 07:39:40 2021
type=PROCTITLE msg=audit(1632483580.798:388): proctitle=2F7573722F7362696E2F73737364002D69002D2D6C6F676765723D66696C6573
type=SYSCALL msg=audit(1632483580.798:388): arch=c00000b7 syscall=27 success=no exit=-13 a0=0 a1=aaaac8ce2c30 a2=8d88 a3=a items=0 ppid=1 pid=1110 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd" exe="/usr/sbin/sssd" subj=system_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1632483580.798:388): avc:  denied  { read } for  pid=1110 comm="sssd" name="resolv.conf" dev="dm-0" ino=588975 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
[root@master ~]# 


AVC denial seen but not is what initialy reported. https://bugzilla.redhat.com/show_bug.cgi?id=2006294 is reported but seems like an issue with test env and not with ipa-server package.

Marking the bug as verified.
Comment 15 errata-xmlrpc 2021-11-09 18:29:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4230
Note You need to log in before you can comment on or make changes to this bug.