Bug 2265378 - Allow "map" operation for "krb5kdc_t" processes on "krb5kdc_principal_t" files
Summary: Allow "map" operation for "krb5kdc_t" processes on "krb5kdc_principal_t" files
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 2265339
TreeView+ depends on / blocked
 
Reported: 2024-02-21 17:53 UTC by Julien Rische
Modified: 2024-03-15 13:36 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2024-03-13 10:19:36 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 2044 0 None open Allow krb5kdc_t map krb5kdc_principal_t files 2024-02-21 18:41:35 UTC

Description Julien Rische 2024-02-21 17:53:58 UTC
We are switching from Berkeley DB to LMDB as default database format for MIT Kerberos. However, after initializing or migrating the database, the krb5kdc daemon is unable to start:

  krb5kdc[1679](info): shutting down
  krb5kdc[1784](Error): LMDB environment open failure (path: /var/kerberos/krb5kdc/principal.mdb): Permission denied - while initializing database for realm EXAMPLE.COM

This failure does not occur when running in permissive mode.

The file contexts seem to be configured properly:

  # ls -lZ /var/kerberos/krb5kdc/
  total 104
  -rw-------. 1 root root system_u:object_r:krb5kdc_conf_t:s0             41 Feb 21 12:30 kadm5.acl
  -rw-------. 1 root root system_u:object_r:krb5kdc_conf_t:s0            793 Feb 21 12:20 kdc.conf
  -rw-------. 1 root root unconfined_u:object_r:krb5kdc_principal_t:s0 45056 Feb 21 12:32 principal.lockout.mdb
  -rw-------. 1 root root unconfined_u:object_r:krb5kdc_principal_t:s0  8192 Feb 21 12:44 principal.lockout.mdb-lock
  -rw-------. 1 root root unconfined_u:object_r:krb5kdc_principal_t:s0 45056 Feb 21 12:32 principal.mdb
  -rw-------. 1 root root unconfined_u:object_r:krb5kdc_principal_t:s0  8192 Feb 21 12:44 principal.mdb-lock

In permissive mode, the only SELinux rule violation reported is:

  # ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR | grep -E '(krb5kdc_t|kadmind_t)'
  type=AVC msg=audit(1708536086.456:512): avc:  denied  { map } for  pid=1677 comm="krb5kdc" path="/var/kerberos/krb5kdc/principal.mdb-lock" dev="vda2" ino=262184 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=unconfined_u:object_r:krb5kdc_principal_t:s0 tclass=file permissive=1

Here is the list of rules for krb5kdc_t to krb5kdc_principal_t:

  # sesearch --allow --source krb5kdc_t --target krb5kdc_principal_t
  allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
  allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
  allow domain file_type:file map; [ domain_can_mmap_files ]:True
  allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
  allow krb5kdc_t file_type:filesystem getattr;
  allow krb5kdc_t krb5kdc_principal_t:file { append getattr ioctl lock open read write };

Is this issue occurring because the "map" operation is not allowed by the "allow krb5kdc_t krb5kdc_principal_t:file" rule?

Reproducible: Always

Comment 1 Zdenek Pytela 2024-02-21 18:41:35 UTC
Correct, map is a separate permission.

Comment 2 Julien Rische 2024-03-12 16:22:35 UTC
Hello Zdenek,

Do you know when we could expect this change to be released? An approximative date would help us for planning.

Thank you in advance!

Comment 3 Zdenek Pytela 2024-03-12 17:13:07 UTC
The build already exists since 2 weeks ago, but got stuck somewhere in the testing process.
I'll take a look.

Comment 4 Zdenek Pytela 2024-03-13 12:53:59 UTC
The build should be available since today morning, sorry for the delay.

Comment 5 Julien Rische 2024-03-14 17:18:41 UTC
I tested update FEDORA-2024-323decc1d9[1], which added the "map" permission indeed, but it also removed the "lock" one:

  # sesearch --allow --source krb5kdc_t --target krb5kdc_principal_t
  allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
  allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
  allow domain file_type:file map; [ domain_can_mmap_files ]:True
  allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
  allow krb5kdc_t file_type:filesystem getattr;
  allow krb5kdc_t krb5kdc_principal_t:file { getattr ioctl map open read write };

The list changed from { append getattr ioctl lock open read write } to { getattr ioctl map open read write }. Would it be possible to keep all the permissions from the initial list, and add the "map" one?


[1] https://bodhi.fedoraproject.org/updates/FEDORA-2024-323decc1d9

Comment 6 Julien Rische 2024-03-14 17:32:57 UTC
The missing "lock" permission aside, I noticed there are other cases where daemons create files with invalid context, and some other permissions seem to be missing. I will create another bugzilla for these issues.

Comment 7 Zdenek Pytela 2024-03-14 17:55:30 UTC
(In reply to Julien Rische from comment #5)
> I tested update FEDORA-2024-323decc1d9[1], which added the "map" permission
> indeed, but it also removed the "lock" one:
> 
>   # sesearch --allow --source krb5kdc_t --target krb5kdc_principal_t
>   allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
>   allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
>   allow domain file_type:file map; [ domain_can_mmap_files ]:True
>   allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
>   allow krb5kdc_t file_type:filesystem getattr;
>   allow krb5kdc_t krb5kdc_principal_t:file { getattr ioctl map open read
> write };
> 
> The list changed from { append getattr ioctl lock open read write } to {
> getattr ioctl map open read write }. Would it be possible to keep all the
> permissions from the initial list, and add the "map" one?
Certainly. There seems to be a general problem in policy macros, I replaced
rw_file_perms with mmap_rw_file_perms, not noticing that the latter has unexpectedly different content:

172 define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
173 define(`rw_file_perms',`{ open rw_inherited_file_perms }')
174 define(`mmap_rw_inherited_file_perms',`{ getattr map read write ioctl }')
175 define(`mmap_rw_file_perms',`{ getattr open map read write ioctl }')

Thanks for spotting this. On the other hand, note it is easy to miss an update to a bz which is in late stage (say POST and later), so it's better to create a new bz.

Comment 8 Julien Rische 2024-03-15 13:36:40 UTC
Just mentioning I gave -1 karma to the FEDORA-2024-323decc1d9[1] update because I tested it with the current MIT krb5 version (which is using Berkeley DB), and it is breaking it too:

  # ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR | grep -E '(krb5kdc_t|kadmind_t)'
  type=AVC msg=audit(1710509353.206:154): avc:  denied  { lock } for  pid=857 comm="krb5kdc" path="/var/kerberos/krb5kdc/principal.kadm5.lock" dev="vda2" ino=262657 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=unconfined_u:object_r:krb5kdc_principal_t:s0 tclass=file permissive=0

The "lock" permission is required for this DB backend too.

[1] https://bodhi.fedoraproject.org/updates/FEDORA-2024-323decc1d9


Note You need to log in before you can comment on or make changes to this bug.