Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 612800 - SELinux is preventing /usr/sbin/ipa_kpasswd "name_bind" access .
SELinux is preventing /usr/sbin/ipa_kpasswd "name_bind" access .
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
12
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:225c9665586...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-09 00:29 EDT by David O'Brien
Modified: 2010-10-14 02:46 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-10-14 02:46:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David O'Brien 2010-07-09 00:29:37 EDT
Summary:

SELinux is preventing /usr/sbin/ipa_kpasswd "name_bind" access .

Detailed Description:

SELinux denied access requested by ipa_kpasswd. It is not expected that this
access is required by ipa_kpasswd and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:ipa_kpasswd_t:s0
Target Context                system_u:object_r:kerberos_password_port_t:s0
Target Objects                None [ tcp_socket ]
Source                        ipa_kpasswd
Source Path                   /usr/sbin/ipa_kpasswd
Port                          464
Host                          (removed)
Source RPM Packages           ipa-server-1.91-0.2010070619git7f9485f.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-33.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.33.6-147.fc13.i686.PAE #1 SMP Tue Jul 6
                              22:24:44 UTC 2010 i686 i686
Alert Count                   4
First Seen                    Fri 09 Jul 2010 02:25:37 PM EST
Last Seen                     Fri 09 Jul 2010 02:25:37 PM EST
Local ID                      3be6250e-00bd-4339-8c6a-533534104ea4
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1278649537.925:30711): avc:  denied  { name_bind } for  pid=3739 comm="ipa_kpasswd" src=464 scontext=unconfined_u:system_r:ipa_kpasswd_t:s0 tcontext=system_u:object_r:kerberos_password_port_t:s0 tclass=tcp_socket

node=(removed) type=SYSCALL msg=audit(1278649537.925:30711): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bff7c500 a2=81dd098 a3=804d7f5 items=0 ppid=1 pid=3739 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ipa_kpasswd" exe="/usr/sbin/ipa_kpasswd" subj=unconfined_u:system_r:ipa_kpasswd_t:s0 key=(null)



Hash String generated from  catchall,ipa_kpasswd,ipa_kpasswd_t,kerberos_password_port_t,tcp_socket,name_bind
audit2allow suggests:

#============= ipa_kpasswd_t ==============
allow ipa_kpasswd_t kerberos_password_port_t:tcp_socket name_bind;
Comment 1 Rob Crittenden 2010-07-09 11:40:19 EDT
Strange. I can't reproduce this on my x86_64 system and we've never seen this AVC before. It is basically saying it can't bind to the kpasswd TCP port because it lacks permission. In theory this should be affecting all versions of IPA but it isn't.
Comment 2 Daniel Walsh 2010-07-12 15:00:30 EDT
Rob this is something that should be allowed.
Comment 3 Daniel Walsh 2010-07-13 07:49:29 EDT
We added this port definition in F13 to allow the login programs to connect to the password changing port, rather then all of kadmind ports.  I think you need to remove the ability for ipa_kpasswd_t to bind to kadmind ports and allow it to bind to kerberos_password_port.  

If you are shipping the same package for all packages you could add a gen_requires block, requiring kerberos_password_port_t

optional_policy(`
    gen_require(`
             type kerberos_password_port_t;
    ')
    corenet_tcp_bind_kerberos_password_port(ipa_kpasswd_t)
')

Which should work on all platforms.
Comment 4 Rob Crittenden 2010-07-21 11:44:55 EDT
This fails to build on F-12:

Compiling targeted ipa_kpasswd module
ipa_kpasswd.te:62: Warning: corenet_non_ipsec_sendrecv(ipa_kpasswd_t) has been deprecated, use corenet_all_recvfrom_unlabeled() instead.
/usr/bin/checkmodule:  loading policy configuration from tmp/ipa_kpasswd.tmp
ipa_kpasswd.te":73:ERROR 'syntax error' at token 'corenet_tcp_bind_kerberos_password_port' on line 13849:
#line 73
    corenet_tcp_bind_kerberos_password_port(ipa_kpasswd_t)
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make[1]: *** [tmp/ipa_kpasswd.mod] Error 1
Comment 5 Daniel Walsh 2010-07-21 11:47:32 EDT
Just add

optional_policy(`
     gen_require(`
         type kerberos_password_port_t;
    ')
    corenet_tcp_bind_kerberos_password_port(ipa_kpasswd_t)
')
Comment 6 Rob Crittenden 2010-07-21 11:49:45 EDT
Dan, that's the exact code I pasted into the ipa_kpasswd.te file. It is failing to build.

selinux-policy-targeted-3.6.32-118.fc12.noarch
selinux-policy-3.6.32-118.fc12.noarch
Comment 7 Daniel Walsh 2010-07-21 11:53:09 EDT
Ah ok, You build on F12.  If you build on F13 will it install on F12?
Comment 8 Rob Crittenden 2010-07-21 13:18:52 EDT
I haven't tried but that isn't our model. We will build this in koji for each platform.
Comment 9 Daniel Walsh 2010-07-22 10:23:53 EDT
Miroslav can you back port the  kerberos_password_port_t;
 code into F12 policy
Comment 10 Simo Sorce 2010-10-04 16:51:37 EDT
Miroslav, Dan, was this backported to F12 ?
Otherwise is there a way to make some SELinux rules conditional so that we can have an "if (< F13) {... else ...}" logic ?
Comment 11 Dmitri Pal 2010-10-13 16:38:08 EDT
Still see if on F13.


Summary:

SELinux is preventing /usr/sbin/ipa_kpasswd "name_bind" access .

Detailed Description:

SELinux denied access requested by ipa_kpasswd. It is not expected that this
access is required by ipa_kpasswd and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:ipa_kpasswd_t:s0
Target Context                system_u:object_r:kerberos_password_port_t:s0
Target Objects                None [ udp_socket ]
Source                        ipa_kpasswd
Source Path                   /usr/sbin/ipa_kpasswd
Port                          464
Host                          lenovo.home
Source RPM Packages           ipa-server-1.91-0.2010100820gitdccb386.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-62.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     lenovo.home
Platform                      Linux lenovo.home 2.6.34.7-56.fc13.i686 #1 SMP Wed
                              Sep 15 03:33:58 UTC 2010 i686 i686
Alert Count                   20
First Seen                    Mon 11 Oct 2010 02:17:56 PM EDT
Last Seen                     Mon 11 Oct 2010 04:15:49 PM EDT
Local ID                      1ae5c07f-dc76-49dc-afe2-6ed00d272a1f
Line Numbers                  

Raw Audit Messages            

node=lenovo.home type=AVC msg=audit(1286828149.415:24260): avc:  denied  { name_bind } for  pid=4802 comm="ipa_kpasswd" src=464 scontext=unconfined_u:system_r:ipa_kpasswd_t:s0 tcontext=system_u:object_r:kerberos_password_port_t:s0 tclass=udp_socket

node=lenovo.home type=SYSCALL msg=audit(1286828149.415:24260): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfd70040 a2=8461078 a3=804d761 items=0 ppid=1 pid=4802 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ipa_kpasswd" exe="/usr/sbin/ipa_kpasswd" subj=unconfined_u:system_r:ipa_kpasswd_t:s0 key=(null)
Comment 12 Rob Crittenden 2010-10-13 18:08:38 EDT
The problem isn't F13, it's F12. We have a single SELinux policy and since this variable doesn't exist in F12 we can't fix it for F13+ (unless as Simo has asked we can do a conditional somehow).
Comment 13 Miroslav Grepl 2010-10-14 02:46:58 EDT
(In reply to comment #12)
> The problem isn't F13, it's F12. We have a single SELinux policy and since this
> variable doesn't exist in F12 we can't fix it for F13+ (unless as Simo has
> asked we can do a conditional somehow).

# rpm -q selinux-policy
selinux-policy-3.6.32-123.fc12.noarch

# semanage port -l | grep kerberos_password_port_t
kerberos_password_port_t       tcp      464
kerberos_password_port_t       udp      464

# cat local.te 
policy_module(local, 1.0)

type ipa_kpasswd_t;
domain_type(ipa_kpasswd_t)

optional_policy(`
     gen_require(`
         type kerberos_password_port_t;
    ')
    corenet_tcp_bind_kerberos_password_port(ipa_kpasswd_t)
')

The local.pp policy module works. So it should work also for you.
Comment 14 Miroslav Grepl 2010-10-14 02:46:59 EDT
(In reply to comment #12)
> The problem isn't F13, it's F12. We have a single SELinux policy and since this
> variable doesn't exist in F12 we can't fix it for F13+ (unless as Simo has
> asked we can do a conditional somehow).

# rpm -q selinux-policy
selinux-policy-3.6.32-123.fc12.noarch

# semanage port -l | grep kerberos_password_port_t
kerberos_password_port_t       tcp      464
kerberos_password_port_t       udp      464

# cat local.te 
policy_module(local, 1.0)

type ipa_kpasswd_t;
domain_type(ipa_kpasswd_t)

optional_policy(`
     gen_require(`
         type kerberos_password_port_t;
    ')
    corenet_tcp_bind_kerberos_password_port(ipa_kpasswd_t)
')

The local.pp policy module works. So it should work also for you.

Note You need to log in before you can comment on or make changes to this bug.