RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 702020 - selinux denial for httpd when it tries to access pki-ca (on a remote machine)
Summary: selinux denial for httpd when it tries to access pki-ca (on a remote machine)
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: doc-Identity_Management_Guide
Version: 6.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Deon Ballard
QA Contact: ecs-bugs
URL:
Whiteboard:
Depends On:
Blocks: 702988
TreeView+ depends on / blocked
 
Reported: 2011-05-04 14:47 UTC by Kashyap Chamarthy
Modified: 2012-06-21 23:13 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-21 23:13:40 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Kashyap Chamarthy 2011-05-04 14:47:06 UTC
Description of problem:
selinux denial for httpd when it tries to access pki-ca (on a remote machine)

Version-Release number of selected component (if applicable):
mod_nss-1.0.8-12.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
0. Ensure SELinux is Enforcing
1. Configure mod_revocator, with CRL checking on

-------------
#cat /etc/httpd/conf.d/revocator.conf 
LoadModule rev_module modules/mod_rev.so
CRLEngine on
CRLAgeCheck off
CRLUpdateCritical off
CRLHelper /usr/bin/crlhelper
CRLFile http://cspki.lab.eng.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL;1;1
--------------
2. Restart httpd


Actual results:

Error log info with selinux in Enforcing and Permissive:
#######################################################################
[root@shark alias]# getenforce 
Enforcing
################################################
[root@shark alias]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
################################################
[root@shark alias]# tail /var/log/httpd/error_log
[Wed May 04 04:31:53 2011] [error] Error updating CRL http://cspki.lab.eng.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL no subject : Unable to connect to remote host
[Wed May 04 04:31:53 2011] [error] Unable to load Revocation module, NSS error -8187. CRL retrieval will be disabled.
[Wed May 04 04:31:53 2011] [error] Error updating CRL http://cspki.lab.eng.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL no subject : Unable to connect to remote host
[Wed May 04 04:31:53 2011] [error] Unable to load Revocation module, NSS error -8187. CRL retrieval will be disabled.
[Wed May 04 04:31:53 2011] [error] Error updating CRL http://cspki.lab.eng.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL no subject : Unable to connect to remote host
[Wed May 04 04:31:53 2011] [error] Unable to load Revocation module, NSS error -8187. CRL retrieval will be disabled.
[Wed May 04 04:31:53 2011] [error] Error updating CRL http://cspki.lab.eng.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL no subject : Unable to connect to remote host
[Wed May 04 04:31:53 2011] [error] Unable to load Revocation module, NSS error -8187. CRL retrieval will be disabled.
[Wed May 04 04:31:53 2011] [error] Error updating CRL http://cspki.lab.eng.pnq.redhat.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL no subject : Unable to connect to remote host
[Wed May 04 04:31:53 2011] [error] Unable to load Revocation module, NSS error -8187. CRL retrieval will be disabled.
[root@shark alias]# cat /var/log/audit/audit.log | audit2allow -R

require {
	type httpd_t;
}

#============= httpd_t ==============
corenet_tcp_connect_pki_ca_port(httpd_t)

#######################################################################
[root@shark alias]# setenforce 0
################################################
[root@shark alias]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
################################################
[root@shark alias]# tail /var/log/httpd/error_log
[Wed May 04 04:33:10 2011] [warn] mod_wsgi: Runtime using Python/2.6.6.
[Wed May 04 04:33:10 2011] [notice] Apache/2.2.15 (Unix) DAV/2 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations
[Wed May 04 04:33:10 2011] [notice] Revocation subsystem initialized 2
[Wed May 04 04:33:10 2011] [notice] Revocation subsystem initialized 2
[Wed May 04 04:33:10 2011] [notice] Revocation subsystem initialized 2
[Wed May 04 04:33:10 2011] [notice] Revocation subsystem initialized 2
[Wed May 04 04:33:10 2011] [notice] Revocation subsystem initialized 2
[Wed May 04 04:33:10 2011] [notice] Revocation subsystem initialized 2
[Wed May 04 04:33:10 2011] [notice] Revocation subsystem initialized 2
[Wed May 04 04:33:10 2011] [notice] Revocation subsystem initialized 2
[root@shark alias]# 
#######################################################################

Comment 2 Ade Lee 2011-05-04 16:21:26 UTC
So the workaround is to add the relevant selinux rule.

You can do this following the instructions at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/96/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html

Two ways:

audit2allow -a -M revoker
semodule -i revoker


Or, you can set a selinux boolean:

setsebool  httpd_can_network_connect on

Comment 3 Ade Lee 2011-05-04 16:22:28 UTC
actually that should be:

semodule -i revoker.pp

Comment 4 RHEL Program Management 2011-05-05 06:00:21 UTC
Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.

Comment 6 Rob Crittenden 2011-05-09 14:38:36 UTC
I think this is a doc issue with the range of fixes being what Ade said. 9180 is a non-standard port which is why SELinux is complaining.

Comment 8 Ade Lee 2011-05-10 19:45:10 UTC
This isn't really a bug per se, so much as a doc issue.  You are trying to access a specific non-standard port that is protected by selinux and need to add a rule to allow this access.  This is, I think, a fairly standard selinux operation?

An example of when this happens, is when Kashyp was doing whatever testing he was doing with mod_revocator.

Consquence: Access is denied to the port (9180).

Workaround:  See comment #2 above. Two ways are provided to allow the relevant access.

Result: Access is provided.  No restrictions.

Comment 11 Ade Lee 2011-06-08 13:40:45 UTC
I checked on a 6.1 system with neither ipa or dogtag installed.

There are several ports (including 9180) that appear to be defined as pki_ca_t.
This means that the ports are defined within core selinux policy.

As an aside, I confirmed with Kashyap that he used a 6.1 machine with only mod_revocator installed.

This means that this is a core selinux policy bug.  Either we need to remove the port designation from core selinux policy, or we need to add the relevant rules to allow mod_revocator to work.

On a dogtag system, this is not an issue because the selinux policy generated eby dogtag on the fly creates rules for the required access.

Comment 12 Dmitri Pal 2011-06-08 15:06:24 UTC
Dan, please update the policy.

Comment 13 Daniel Walsh 2011-06-10 03:01:05 UTC
This is not an SELinux bug.  If you want to install your package then you either need to tell apache it can connect to any port.   Or you need to add a custom policy.  We are not going to ship policy that lets every apache server connect to the pki_ca_port.

corenet_tcp_connect_pki_ca_port(httpd_t)

Comment 14 RHEL Program Management 2011-06-10 03:14:56 UTC
Development Management has reviewed and declined this request.  You may appeal
this decision by reopening this request.

Comment 15 Dmitri Pal 2011-06-10 13:36:03 UTC
Then it is an IPA bug.

Comment 16 Dmitri Pal 2011-06-10 13:40:27 UTC
https://fedorahosted.org/freeipa/ticket/1316

Comment 17 Rob Crittenden 2011-06-10 15:22:53 UTC
This is not an IPA bug.

We do not configure mod_revocator by default therefore we do not allow the port.

As Ade said, this is a documentation issue. Anyone wanting to use the IPA CA for OCSP or CRL retrieval will need to LOCALLY allow Apache to communicate on that port as an HTTP client.

Comment 18 Dmitri Pal 2011-06-10 16:30:25 UTC
Locally meaning 

"If you want to use IPA CA for OCSP or CRL retrieval, configure your client software to able to access the remote service. If the client is for example an Apache application leveraging mod_revocator the Selinux policies on the client should be adjusted to allow Apache access to the IPA server. By default SELinux policies would prevent such communication."

Is this the correct statement?

Comment 19 Rob Crittenden 2011-06-10 17:47:10 UTC
It is though I wonder if the word client is going to confuse people. They may not consider that mod_revocator in this case is the client. I tried to mock up something better but wasn't able to in any sort of concise way.

Comment 20 Deon Ballard 2011-08-16 19:17:42 UTC
Re-assigning to me as a doc bug.

Comment 21 Deon Ballard 2011-11-15 02:37:49 UTC
Setting to ON_QA for review for 6.2.

This is a bulk change, so I'm not providing links at this time. If you need help finding the info, ping sunny-dee on #docs or email me.

Thanks!

Comment 23 Deon Ballard 2012-06-21 23:13:40 UTC
Closing.


Note You need to log in before you can comment on or make changes to this bug.