SELinux denials on install Reported by: davido Assigned to: kmacmill Priority: minor Milestone: Component: ipa-server Version: Keywords: installation SELinux Cc: Description ΒΆ Copied from email to list. I got these during the server install: [11/15]: adding default layout Failed to add default ds layout Command '/usr/bin/ldapmodify -xv -D cn=Directory Manager -w password -f /tmp/tmpgkg7cC' returned non-zero exit status 32 root : CRITICAL Failed to add default ds layout Command '/usr/bin/ldapmodify -xv -D cn=Directory Manager -w password -f /tmp/tmpgkg7cC' returned non-zero exit status 32 [12/15]: configuring Posix uid/gid generation as first master A fix for this will be merged today. type=AVC msg=audit(1196374877.700:22): avc: denied { read write } for pid=3697 comm="krb5kdc" path="socket:[14728]" dev=sockfs ino=14728 scontext=user_u:system_r:krb5kdc_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=tcp_socket Can you file a bug for this one? type=AVC msg=audit(1196374892.221:23): avc: denied { read write } for pid=3743 comm="httpd" path="socket:[14728]" dev=sockfs ino=14728 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=tcp_socket Put in above bug. type=AVC msg=audit(1196374896.627:24): avc: denied { read write } for pid=3809 comm="radiusd" path="socket:[14728]" dev=sockfs ino=14728 scontext=user_u:system_r:radiusd_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=tcp_socket Put in above bug. type=AVC msg=audit(1196374897.129:25): avc: denied { search } for pid=3809 comm="radiusd" name="tmp" dev=dm-0 ino=816001 scontext=user_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir Put in above bug. type=AVC msg=audit(1196374901.612:26): avc: denied { read write } for pid=3947 comm="krb5kdc" path="socket:[14728]" dev=sockfs ino=14728 scontext=user_u:system_r:krb5kdc_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=tcp_socket Put in above bug.
I believe the above errors are from Fedora 7. Add this one reported by ntp on RHEL 5.1: avc: denied { read, write } for comm="ntpd" dev=sockfs egid=0 euid=0 exe="/usr/sbin/ntpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 path="socket:[369825]" pid=28543 scontext=user_u:system_r:ntpd_t:s0 sgid=0 subj=user_u:system_r:ntpd_t:s0 suid=0 tclass=tcp_socket tcontext=user_u:system_r:unconfined_t:s0 tty=pts1 uid=0 Dan. Karl was going to fix these but he didn't before he left. Can you take a look at these?
Not sure what is causing this. Looks like you are running an application as unconfined_t and then it forks/execs ntpd_t But you did not close the open tcp_socket. fcntl(socket, F_SETFD, FD_CLOEXEC)
Dan, the application is the IPA install script which is written in python. I am having a hard time find out what this socket might be tho, and why it should concern ntpd (which is run via "service ntpd start")
It is probably yum? Or if the install does a network connection. SELinux looks at all open file descriptors that are handed to a confined application and then closes them if the confined application does not have access. This can be ignored other then SELinux putting up an ugly message, but it would be best to fix what every app is opening the tcp connection.
Rob, could it be the checks we do to find out if the FDS ports are used ?
So you think it might be that we check the ports but don't close them properly, so those open ports get inheritted by ntpd?
Yes, You don't need to close them, but you need to set them up to close on exec via the fcntl command. By default all UNIX fds are inherited by the fork/exec application.
Just pushed out an SELinux patch for ipa_webgui and ipa_kpasswd. Can you re-test this with a fresh build to see if it is still a problem? Or if new problems have been introduced?
Created attachment 296643 [details] log from Fedora 7
These AVC messages seem to be attempts to write to a log file in a users home directory and a leaked file descriptor. Did you redirect stdout to /home/rcrit/ipaserver-install.log
ipa-server-install opens the log using Python's log handler. We then use subprocess.Popen() to run things. In most of these it looks like the errors are coming from executing the service init scripts.
Ok, nice. The function call has a close_fds's option. I've used that and quickly tested and confirmed that the ntp errors have gone away. I'll do a fresh install and hopefully these will all disappear. I've also changed the location of the log file to be the home directory of root (probably /root). I think that will also help and is certainly better than writing in the cwd.
Ok, that did it. Down to two messages in the audit log now: type=USYS_CONFIG msg=audit(1204568235.506:5503): user pid=32721 uid=0 auid=500 subj=user_u:system_r:hwclock_t:s0 msg='changing system time: exe="/sbin/hwclock" (hostname=?, addr=?, terminal=pts/1 res=success)' type=USER_AVC msg=audit(1204568308.362:5504): user pid=1657 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload notice (seqno=57) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
According to the guys in #selinux the first message can be ignored and the second is related to dbus. I may be seeing it because I'm on Fedora 7. In any case it isn't an IPA issue.
Created attachment 296662 [details] close fds to prevent AVCs, move logs to /root or /var/log
I prefer you to move it to /var/log.
As requested, client and server install logs go to /var/log. Committed as changeset 703
none of these messages are seen. marking bug verified. build 04/02