680510 – Certmonger: SELinux AVCs reading krb5 keytab file

Bug 680510 - Certmonger: SELinux AVCs reading krb5 keytab file

Summary: Certmonger: SELinux AVCs reading krb5 keytab file

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	14
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-02-25 18:33 UTC by Jenny Severance
Modified:	2015-01-04 23:46 UTC (History)
CC List:	6 users (show)
Fixed In Version:	selinux-policy-3.9.7-37.fc14
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-03-22 18:52:23 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jenny Severance 2011-02-25 18:33:14 UTC

Description of problem:
# cat /var/log/audit/audit.log | audit2allow


#============= certmonger_t ==============
allow certmonger_t krb5_keytab_t:file read;



type=AVC msg=audit(1298398923.421:39879): avc:  denied  { read } for  pid=26593 comm="ipa-submit" name="krb5.keytab" dev=dm-0 ino=146467 scontext=unconfined_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file
type=SYSCALL msg=audit(1298398923.421:39879): arch=40000003 syscall=5 success=no exit=-13 a0=8bf8518 a1=0 a2=1b6 a3=541e38 items=0 ppid=26572 pid=26593 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="ipa-submit" exe="/usr/libexec/certmonger/ipa-submit" subj=unconfined_u:system_r:certmonger_t:s0 key=(null)





Version-Release number of selected component (if applicable):
freeipa-client-2.0-0.20110222T1504Zgit744eb8e.fc14.i686
certmonger-0.30-4.fc14.i686

How reproducible:


Steps to Reproduce:
1. install ipa client
2. check the audit log
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Nalin Dahyabhai 2011-02-25 19:03:43 UTC

ipa-submit wants to authenticate as the client system when it submits the
signing request to the IPA server's XML-RPC service, and it uses the keys in
the keytab to obtain the creds that it uses to do so.  I think this should be
allowed by policy.  (We could lock it down further if we built policy for each
of the CA-type-specific helpers, but I guess we're not there yet.)

Comment 2 Daniel Walsh 2011-02-25 20:42:16 UTC

One of the AVC's is being cause by coolkey package not including the /var/cache/coolkey directory within its payload.

If you simply add this directory, rpm will label the directory correctly, auth_cache_t, which certmonger_t can currently read and write.

Comment 3 Daniel Walsh 2011-02-25 20:43:34 UTC

oops wrong bug.



Miroslav please back port cermonger.* to F13, F14, RHEL6.

Comment 4 Miroslav Grepl 2011-03-07 23:59:16 UTC

Fixed in selinux-policy-3.9.7-33.fc14

Comment 5 Rob Crittenden 2011-03-15 18:54:09 UTC

Can an update be created so this can land in F-14?

Comment 6 Fedora Update System 2011-03-18 15:07:23 UTC

selinux-policy-3.9.7-34.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-34.fc14

Comment 7 Fedora Update System 2011-03-21 08:45:21 UTC

selinux-policy-3.9.7-37.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-37.fc14

Comment 8 Fedora Update System 2011-03-22 18:50:57 UTC

selinux-policy-3.9.7-37.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.