Bug 2106006 - selinux-policy AVC during ipa trust-add
Summary: selinux-policy AVC during ipa trust-add
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 36
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-07-11 14:02 UTC by Florence Blanc-Renaud
Modified: 2022-08-05 01:34 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-36.13-3.fc36
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2114902 (view as bug list)
Environment:
Last Closed: 2022-08-05 01:34:46 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Florence Blanc-Renaud 2022-07-11 14:02:48 UTC
Description of problem:

selinux-policy-36.11-1.fc36.noarch denies { sendto } to command smbcontrol.
The consequence is that running ipa trust-add leaves the user with a kerberos credential cache containing a ticket for cifs/<server> instead of the original one for admin.

Version-Release number of selected component (if applicable):
Fedora 36
freeipa-server-4.11.0.dev-0.fc36.x86_64
selinux-policy-36.11-1.fc36.noarch

How reproducible:

Systematic

Steps to Reproduce:
1. install IPA server with 
ipa-server-install -n ipa.test -r IPA.TEST -p Secret.123 -a Secret.123 --domain-level=1 -U --setup-dns --auto-forwarders --auto-reverse
2. configure as trust domain controller with
ipa-adtrust-install -U --enable-compat --netbios-name IPA -a Secret.123 --add-sids
3. obtain an admin  ticket with
kinit admin
4. add a trust with AD:
ipa trust-add --type ad ad.test --admin Administrator --password
5. check the credential cache, it contains a ticket for cifs/master.ipa.test instead of admin

This is reproducible in our nightly tests, see for instance PR #1841 [1] with the test test_sssd [2]. The AVCs can be seen in the audit.log [3].

type=AVC msg=audit(1657191966.421:4036): avc:  denied  { sendto } for  pid=22873 comm="smbcontrol" path="/var/lib/samba/private/msg.sock/22803" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1657191966.421:4037): avc:  denied  { sendto } for  pid=22873 comm="smbcontrol" path="/var/lib/samba/private/msg.sock/22803" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1657191966.421:4038): avc:  denied  { sendto } for  pid=22873 comm="smbcontrol" path="/var/lib/samba/private/msg.sock/22814" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1657191966.421:4039): avc:  denied  { sendto } for  pid=22873 comm="smbcontrol" path="/var/lib/samba/private/msg.sock/22814" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1657191966.422:4040): avc:  denied  { sendto } for  pid=22873 comm="smbcontrol" path="/var/lib/samba/private/msg.sock/22818" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1657191966.422:4041): avc:  denied  { sendto } for  pid=22873 comm="smbcontrol" path="/var/lib/samba/private/msg.sock/22818" scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_dgram_socket permissive=0

[1] https://github.com/freeipa-pr-ci2/freeipa/pull/1841
[2] http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/ffd8bd2c-fddd-11ec-8b8d-fa163e2eae90/
[3] http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/ffd8bd2c-fddd-11ec-8b8d-fa163e2eae90/test_integration-test_sssd.py-TestSSSDWithAdTrust-install/master.ipa.test/var/log/audit/audit.log.gz


Note: selinux-policy-36.10-1.fc36.noarch does not show the issue, the problem was introduced with the update to selinux-policy-36.11-1.fc36 currently in updates-testing.

Comment 1 Zdenek Pytela 2022-07-11 16:47:47 UTC
Unfortunately, I was unable to reproduce the problem reliably. Could you try with the following local module?

  # cat local_smbcontrol.cil
(allow smbcontrol_t winbind_rpcd_t (unix_dgram_socket (sendto)))
  # semodule -i local_smbcontrol.cil
<retest>
  # ausearch -i -m avc,user_avc -ts recent

Comment 2 Florence Blanc-Renaud 2022-07-13 13:14:19 UTC
Hi Zdenek,

I launched the same test with the local module. This time, there was no reported AVC but the issue persists (the credential cache contains a ticket for the cifs/... principal). 
The audit.log is available here [1] and the job report here [2]:

DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd109:transport.py:513 RUN ['ausearch', '-i', '-m', 'avc,user_avc', '-ts', 'recent']
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd109:transport.py:557 <no matches>
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd109:transport.py:217 Exit code: 1

[1] http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/d13ac658-029d-11ed-91ab-fa163ea73ebe/test_integration-test_sssd.py-TestSSSDWithAdTrust-install/master.ipa.test/var/log/audit/audit.log.gz
[2] http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/d13ac658-029d-11ed-91ab-fa163ea73ebe/report.html

Comment 3 Florence Blanc-Renaud 2022-07-13 14:59:40 UTC
In order to reproduce the issue you need to restart smb before calling kinit admin; ipa trust-add ...
The AVC are hidden and only visible after disabling dontaudit with "semodule -DB":

without the module from comment #c1:
----
time->Wed Jul 13 14:36:01 2022
type=AVC msg=audit(1657722961.147:4394): avc:  denied  { net_admin } for  pid=18529 comm="httpd" capability=12  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
----
time->Wed Jul 13 14:36:02 2022
type=AVC msg=audit(1657722962.576:4395): avc:  denied  { noatsecure } for  pid=21267 comm="smbd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=process permissive=0
----
time->Wed Jul 13 14:36:02 2022
type=AVC msg=audit(1657722962.576:4396): avc:  denied  { rlimitinh } for  pid=21267 comm="samba-dcerpcd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=process permissive=0
----
time->Wed Jul 13 14:36:02 2022
type=AVC msg=audit(1657722962.576:4397): avc:  denied  { siginh } for  pid=21267 comm="samba-dcerpcd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=process permissive=0
----
time->Wed Jul 13 14:36:03 2022
type=AVC msg=audit(1657722963.684:4398): avc:  denied  { rlimitinh } for  pid=21287 comm="com.redhat.idm." scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ipa_helper_t:s0 tclass=process permissive=0
----
time->Wed Jul 13 14:36:03 2022
type=AVC msg=audit(1657722963.684:4399): avc:  denied  { siginh } for  pid=21287 comm="com.redhat.idm." scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ipa_helper_t:s0 tclass=process permissive=0
----
time->Wed Jul 13 14:36:11 2022
type=AVC msg=audit(1657722971.156:4400): avc:  denied  { net_admin } for  pid=18529 comm="httpd" capability=12  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
----
time->Wed Jul 13 14:36:21 2022
type=AVC msg=audit(1657722981.166:4401): avc:  denied  { net_admin } for  pid=18529 comm="httpd" capability=12  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0


With the module from comment #c1:

Same output:
time->Wed Jul 13 14:56:42 2022
type=AVC msg=audit(1657724202.495:4529): avc:  denied  { net_admin } for  pid=18529 comm="httpd" capability=12  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
----
time->Wed Jul 13 14:56:44 2022
type=AVC msg=audit(1657724204.868:4530): avc:  denied  { noatsecure } for  pid=21362 comm="smbd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=process permissive=0
----
time->Wed Jul 13 14:56:44 2022
type=AVC msg=audit(1657724204.868:4531): avc:  denied  { rlimitinh } for  pid=21362 comm="samba-dcerpcd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=process permissive=0
----
time->Wed Jul 13 14:56:44 2022
type=AVC msg=audit(1657724204.868:4532): avc:  denied  { siginh } for  pid=21362 comm="samba-dcerpcd" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=process permissive=0
----
time->Wed Jul 13 14:56:46 2022
type=AVC msg=audit(1657724206.221:4533): avc:  denied  { rlimitinh } for  pid=21382 comm="com.redhat.idm." scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ipa_helper_t:s0 tclass=process permissive=0
----
time->Wed Jul 13 14:56:46 2022
type=AVC msg=audit(1657724206.221:4534): avc:  denied  { siginh } for  pid=21382 comm="com.redhat.idm." scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ipa_helper_t:s0 tclass=process permissive=0
----
time->Wed Jul 13 14:56:52 2022
type=AVC msg=audit(1657724212.506:4535): avc:  denied  { net_admin } for  pid=18529 comm="httpd" capability=12  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
----
time->Wed Jul 13 14:57:02 2022
type=AVC msg=audit(1657724222.517:4536): avc:  denied  { net_admin } for  pid=18529 comm="httpd" capability=12  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0

Comment 4 Zdenek Pytela 2022-07-13 15:31:19 UTC
Thank you, I can reproduce it now. With the following module:

(allow smbcontrol_t winbind_rpcd_t (unix_dgram_socket (sendto)))
(allow smbd_t winbind_rpcd_t (process (noatsecure)))

i can see

f36# klist -l
Principal name                 Cache name
--------------                 ----------
admin                 KCM:0

but the ipa command keeps complaining so I am not sure if it can be considered working:

f36# ipa trust-add --type ad ad.test --admin Administrator --password
Active Directory domain administrator's password: 
ipa: ERROR: Cannot find specified domain or server name

Comment 5 Florence Blanc-Renaud 2022-07-13 15:42:10 UTC
I am relaunching a test in our CI with the additional module, I'll keep you posted.

Comment 6 Florence Blanc-Renaud 2022-07-13 19:53:56 UTC
Hi Zdenek,

I added the module from comment #c4 and the test is now passing: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/9ea02612-02d8-11ed-af51-fa163eda45c5/report.html
You can go ahead and add the new module in selinux-policy.

Comment 7 Fedora Update System 2022-07-15 14:42:17 UTC
FEDORA-2022-320775eb9a has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a

Comment 8 Fedora Update System 2022-07-16 01:12:55 UTC
FEDORA-2022-320775eb9a has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-320775eb9a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2022-08-04 02:42:00 UTC
FEDORA-2022-139ec288ca has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-139ec288ca`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-139ec288ca

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2022-08-05 01:34:46 UTC
FEDORA-2022-139ec288ca has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.