Bug 2115691 - selinux-policy AVC during ipa trust-add using selinux-policy-36.13-3.fc36
Summary: selinux-policy AVC during ipa trust-add using selinux-policy-36.13-3.fc36
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 36
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 2114902
TreeView+ depends on / blocked
 
Reported: 2022-08-05 07:11 UTC by anuja
Modified: 2022-10-12 13:01 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-36.15-1.fc36 selinux-policy-36.16-1.fc36
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-10-12 13:01:39 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1383 0 None open Update samba-dcerpcd policy for kerberos usage 2 2022-09-12 13:06:10 UTC
Github fedora-selinux selinux-policy pull 1409 0 None Merged F36 samba sync 2022-09-23 14:22:49 UTC

Description anuja 2022-08-05 07:11:30 UTC
Description of problem:

selinux-policy-36.13-3.fc36.noarch denies { sendto } to command smbcontrol.
The consequence is that running ipa trust-add leaves the user with a kerberos credential cache containing a ticket for cifs/<server> instead of the original one for admin.

Version-Release number of selected component (if applicable):
Fedora 36
freeipa-server-4.11.0.dev-0.fc36.x86_64
selinux-policy-36.13-3.fc36.noarch

How reproducible:

Systematic

Steps to Reproduce:
1. install IPA server with 
ipa-server-install -n ipa.test -r IPA.TEST -p Secret.123 -a Secret.123 --domain-level=1 -U --setup-dns --auto-forwarders --auto-reverse
2. configure as trust domain controller with
ipa-adtrust-install -U --enable-compat --netbios-name IPA -a Secret.123 --add-sids
3. obtain an admin  ticket with
kinit admin
4. add a trust with AD:
ipa trust-add --type ad ad.test --admin Administrator --password
5. check the credential cache, it contains a ticket for cifs/master.ipa.test instead of admin

This is reproducible in our nightly tests, see for instance PR #6394 [1] with the test test_sssd [2]. The AVCs can be seen in the audit.log [3].

[1] https://github.com/freeipa/freeipa/pull/6394
[2] http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/9e38f40a-13d2-11ed-8d3d-fa163e04db38
[3] http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/9e38f40a-13d2-11ed-8d3d-fa163e04db38/test_integration-test_sssd.py-TestSSSDWithAdTrust-install/master.ipa.test/var/log/audit/audit.log.gz

Comment 2 Zdenek Pytela 2022-08-05 07:39:09 UTC
It seems dontaudit rules were in place, but full auditing was not enabled.

This one looks like the only relevant denial:
type=AVC msg=audit(08/04/2022 05:41:05.693:4233) : avc:  denied  { search } for  pid=23438 comm=samba-dcerpcd name=pki dev="vda5" ino=5610 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0

Could you try the following local module:

  # cat local_winbindrpcd_krb.cil
(allow winbind_rpcd_t krb5_keytab_t (dir (getattr open search)))
(allow winbind_rpcd_t krb5_keytab_t (dir (getattr open read ioctl lock)))
  # semodule -i local_winbindrpcd_krb.cil

and run the test again?

Comment 3 Zdenek Pytela 2022-08-05 07:42:16 UTC
I actually meant this particular one:
----
type=AVC msg=audit(08/04/2022 05:41:05.785:4234) : avc:  denied  { search } for  pid=23438 comm=samba-dcerpcd name=krb5 dev="vda5" ino=12519 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0


List of all denials run through audit2allow:

#============= NetworkManager_dispatcher_console_t ==============
allow NetworkManager_dispatcher_console_t default_context_t:dir search;

#!!!! This avc is allowed in the current policy
allow NetworkManager_dispatcher_console_t etc_t:dir remove_name;

#!!!! This avc is allowed in the current policy
allow NetworkManager_dispatcher_console_t etc_t:file { setattr unlink };
allow NetworkManager_dispatcher_console_t file_context_t:dir search;
allow NetworkManager_dispatcher_console_t file_context_t:file { getattr open read };

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow NetworkManager_dispatcher_console_t file_context_t:file map;
allow NetworkManager_dispatcher_console_t security_t:dir read;
allow NetworkManager_dispatcher_console_t security_t:file write;
allow NetworkManager_dispatcher_console_t security_t:security compute_create;
allow NetworkManager_dispatcher_console_t self:process setfscreate;

#============= httpd_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow httpd_t self:capability net_admin;

#============= krb5kdc_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow krb5kdc_t selinux_config_t:file read;

#============= oddjob_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow oddjob_t ipa_helper_t:process { rlimitinh siginh };

#============= smbd_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow smbd_t winbind_rpcd_t:process { noatsecure rlimitinh siginh };

#============= winbind_rpcd_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow winbind_rpcd_t cert_t:dir search;
allow winbind_rpcd_t krb5_keytab_t:dir search;

Comment 7 Fedora Update System 2022-09-14 16:33:02 UTC
FEDORA-2022-096f7730be has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-096f7730be

Comment 8 Fedora Update System 2022-09-15 02:21:29 UTC
FEDORA-2022-096f7730be has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-096f7730be`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-096f7730be

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2022-09-22 01:17:22 UTC
FEDORA-2022-096f7730be has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 11 Zdenek Pytela 2022-09-23 14:22:49 UTC
I backported all relevant commits so that the policy is synchronized with rawhide:
https://github.com/fedora-selinux/selinux-policy/pull/1409

Comment 12 Fedora Update System 2022-09-30 08:49:55 UTC
FEDORA-2022-0c59a07653 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-0c59a07653

Comment 13 Fedora Update System 2022-10-01 02:13:00 UTC
FEDORA-2022-0c59a07653 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-0c59a07653`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-0c59a07653

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 14 anuja 2022-10-03 07:29:05 UTC
Using : selinux-policy-36.16-1.fc36.noarch

Tested with latest build its working as expected.

Comment 15 Fedora Update System 2022-10-12 13:01:39 UTC
FEDORA-2022-0c59a07653 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.