Bug 430024 - SELinux denials on install
SELinux denials on install
Product: freeIPA
Classification: Community
Component: ipa-server (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
Depends On:
Blocks: freeipa10 429034
  Show dependency treegraph
Reported: 2008-01-24 02:05 EST by Chandrasekar Kannan
Modified: 2012-03-27 03:17 EDT (History)
6 users (show)

See Also:
Fixed In Version: freeipa-2.0.0-1.fc15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
log from Fedora 7 (9.38 KB, text/plain)
2008-03-03 12:43 EST, Rob Crittenden
no flags Details
close fds to prevent AVCs, move logs to /root or /var/log (2.47 KB, patch)
2008-03-03 14:14 EST, Rob Crittenden
no flags Details | Diff

  None (edit)
Description Chandrasekar Kannan 2008-01-24 02:05:22 EST
SELinux denials on install
Reported by: 	davido 	Assigned to: 	kmacmill
Priority: 	minor 	Milestone: 	
Component: 	ipa-server 	Version: 	
Keywords: 	installation SELinux 	Cc: 	
Description ΒΆ

Copied from email to list. I got these during the server install:

        [11/15]: adding default layout Failed to add default ds layout Command '/usr/bin/ldapmodify -xv -D cn=Directory Manager -w password -f /tmp/tmpgkg7cC' returned non-zero exit status 32 root : CRITICAL Failed to add default ds layout Command '/usr/bin/ldapmodify -xv -D cn=Directory Manager -w password -f /tmp/tmpgkg7cC' returned non-zero exit status 32 [12/15]: configuring Posix uid/gid generation as first master

A fix for this will be merged today.

        type=AVC msg=audit(1196374877.700:22): avc: denied { read write } for pid=3697 comm="krb5kdc" path="socket:[14728]" dev=sockfs ino=14728 scontext=user_u:system_r:krb5kdc_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=tcp_socket

Can you file a bug for this one?

        type=AVC msg=audit(1196374892.221:23): avc: denied { read write } for pid=3743 comm="httpd" path="socket:[14728]" dev=sockfs ino=14728 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=tcp_socket

Put in above bug.

        type=AVC msg=audit(1196374896.627:24): avc: denied { read write } for pid=3809 comm="radiusd" path="socket:[14728]" dev=sockfs ino=14728 scontext=user_u:system_r:radiusd_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=tcp_socket

Put in above bug.

        type=AVC msg=audit(1196374897.129:25): avc: denied { search } for pid=3809 comm="radiusd" name="tmp" dev=dm-0 ino=816001 scontext=user_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir

Put in above bug.

        type=AVC msg=audit(1196374901.612:26): avc: denied { read write } for pid=3947 comm="krb5kdc" path="socket:[14728]" dev=sockfs ino=14728 scontext=user_u:system_r:krb5kdc_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=tcp_socket

Put in above bug.
Comment 3 Rob Crittenden 2008-02-06 13:24:27 EST
I believe the above errors are from Fedora 7.

Add this one reported by ntp on RHEL 5.1:

avc: denied { read, write } for comm="ntpd" dev=sockfs egid=0 euid=0
exe="/usr/sbin/ntpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 path="socket:[369825]"
pid=28543 scontext=user_u:system_r:ntpd_t:s0 sgid=0
subj=user_u:system_r:ntpd_t:s0 suid=0 tclass=tcp_socket
tcontext=user_u:system_r:unconfined_t:s0 tty=pts1 uid=0

Dan. Karl was going to fix these but he didn't before he left. Can you take a
look at these?
Comment 4 Daniel Walsh 2008-02-06 15:26:23 EST
Not sure what is causing this.  Looks like you are running an application as
unconfined_t and then it forks/execs ntpd_t But you did not close the open

fcntl(socket, F_SETFD, FD_CLOEXEC)
Comment 5 Simo Sorce 2008-02-06 15:50:59 EST
the application is the IPA install script which is written in python.
I am having a hard time find out what this socket might be tho, and why it
should concern ntpd (which is run via "service ntpd start")
Comment 6 Daniel Walsh 2008-02-06 15:57:13 EST
It is probably yum? Or if the install does a network connection.

SELinux looks at all open file descriptors that are handed to a confined
application and then closes them if the confined application does not have
access. This can be ignored other then SELinux putting up an ugly message, but
it would be best to fix what every app is opening the tcp connection.
Comment 7 Simo Sorce 2008-02-06 16:07:27 EST
could it be the checks we do to find out if the FDS ports are used ?
Comment 8 Rob Crittenden 2008-02-06 16:24:48 EST
So you think it might be that we check the ports but don't close them properly,
so those open ports get inheritted by ntpd?
Comment 9 Daniel Walsh 2008-02-06 16:31:31 EST
Yes, You don't need to close them, but you need to set them up to close on exec
via the fcntl command.  By default all UNIX fds are inherited by the fork/exec
Comment 10 Rob Crittenden 2008-02-20 13:17:10 EST
Just pushed out an SELinux patch for ipa_webgui and ipa_kpasswd. Can you re-test
this with a fresh build to see if it is still a problem? Or if new problems have
been introduced?
Comment 11 Rob Crittenden 2008-03-03 12:43:30 EST
Created attachment 296643 [details]
log from Fedora 7
Comment 12 Daniel Walsh 2008-03-03 13:05:11 EST
These AVC messages seem to be attempts to write to a log file in a users home
directory and a leaked file descriptor.

Did you redirect stdout to /home/rcrit/ipaserver-install.log
Comment 13 Rob Crittenden 2008-03-03 13:14:46 EST
ipa-server-install opens the log using Python's log handler.

We then use subprocess.Popen() to run things. In most of these it looks like the
errors are coming from executing the service init scripts.
Comment 14 Rob Crittenden 2008-03-03 13:16:59 EST
Ok, nice. The function call has a close_fds's option. I've used that and quickly
tested and confirmed that the ntp errors have gone away.

I'll do a fresh install and hopefully these will all disappear.

I've also changed the location of the log file to be the home directory of root
(probably /root). I think that will also help and is certainly better than
writing in the cwd.
Comment 15 Rob Crittenden 2008-03-03 13:18:53 EST
Ok, that did it. Down to two messages in the audit log now:

type=USYS_CONFIG msg=audit(1204568235.506:5503): user pid=32721 uid=0 auid=500
subj=user_u:system_r:hwclock_t:s0 msg='changing system time: exe="/sbin/hwclock"
(hostname=?, addr=?, terminal=pts/1 res=success)'
type=USER_AVC msg=audit(1204568308.362:5504): user pid=1657 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received
policyload notice (seqno=57) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
Comment 16 Rob Crittenden 2008-03-03 14:14:13 EST
According to the guys in #selinux the first message can be ignored and the
second is related to dbus. I may be seeing it because I'm on Fedora 7. In any
case it isn't an IPA issue.
Comment 17 Rob Crittenden 2008-03-03 14:14:43 EST
Created attachment 296662 [details]
close fds to prevent AVCs, move logs to /root or /var/log
Comment 18 Daniel Walsh 2008-03-03 14:23:58 EST
I prefer you to move it to /var/log.
Comment 19 Rob Crittenden 2008-03-03 16:15:45 EST
As requested, client and server install logs go to /var/log.

Committed as changeset 703
Comment 20 Chandrasekar Kannan 2008-04-04 08:19:18 EDT
none of these messages are seen.
marking bug verified. 
build 04/02

Note You need to log in before you can comment on or make changes to this bug.