737516 – ipa-server files with incorrect selinux context

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 737516 - ipa-server files with incorrect selinux context

Summary: ipa-server files with incorrect selinux context

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	743047
TreeView+	depends on / blocked

Reported:	2011-09-12 11:50 UTC by Karel Srot
Modified:	2015-01-04 23:51 UTC (History)
CC List:	7 users (show)
Fixed In Version:	ipa-2.1.1-2.el6
Doc Type:	Bug Fix
Doc Text:	Do not document
Clone Of:
Environment:
Last Closed:	2011-12-06 18:31:12 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1533	0	normal	SHIPPED_LIVE	Moderate: ipa security and bug fix update	2011-12-06 01:23:31 UTC

Description Karel Srot 2011-09-12 11:50:00 UTC

Description of problem:

from sectool scan after ipa-server installation:

Warning: Mislabeled directory '/var/cache/ipa/sessions' found. Labeled as 'system_u:object_r:var_t:s0', should be 'system_u:object_r:httpd_sys_content_t:s0'.
    Hint: File is not labeled as defined in configuration. See man restorecon.

    Warning: Mislabeled directory '/var/cache/ipa/kpasswd' found. Labeled as 'system_u:object_r:var_t:s0', should be 'system_u:object_r:ipa_kpasswd_ccache_t:s0'.
    Hint: File is not labeled as defined in configuration. See man restorecon.

    Warning: Mislabeled regular file '/usr/sbin/ipa_kpasswd' found. Labeled as 'system_u:object_r:bin_t:s0', should be 'system_u:object_r:ipa_kpasswd_exec_t:s0'.
    Hint: File is not labeled as defined in configuration. See man restorecon.



Version-Release number of selected component (if applicable):
Installed:
  ipa-server.i686 0:2.1.1-1.el6      

How reproducible:
always

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Dmitri Pal 2011-09-12 15:28:00 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1779

Comment 2 Rob Crittenden 2011-09-12 17:02:51 UTC

Can you provide the output of:

# semodule -l |grep ipa

Comment 3 Karel Srot 2011-09-13 11:14:30 UTC

Unfortunately I have already returned the server. 
On another one I can see just /usr/sbin/ipa_kpasswd, other two files are missing. The context is wrong, anyway.

# ls -Z /usr/sbin/ipa_kpasswd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/ipa_kpasswd
# semodule -l |grep ipa
ipa_dogtag	1.4	
ipa_httpd	1.2	
ipa_kpasswd	1.0

Comment 4 Rob Crittenden 2011-09-13 12:50:17 UTC

What is strange is that this should be covered by ipa_kpasswd.fc:

/usr/sbin/ipa_kpasswd           --      gen_context(system_u:object_r:ipa_kpasswd_exec_t,s0)

The module is inserted in %post with:

semodule -s targeted -i /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp /usr/share/selinux/targeted/ipa_dogtag.pp

Comment 6 Rob Crittenden 2011-09-14 20:49:29 UTC

I can't reproduce this, what version of selinux-policy do you have installed?

Comment 7 Karel Srot 2011-09-15 07:18:29 UTC

tested on RHEL6.2 alpha with selinux-policy-3.7.19-109.el6
same result with latest selinux-policy-3.7.19-110.el6.noarch

# yum -y install ipa-server &> /dev/null
# ls -Z /usr/sbin/ipa_kpasswd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/ipa_kpasswd
# rpm -q selinux-policy ipa-server
selinux-policy-3.7.19-110.el6.noarch
ipa-server-2.1.1-1.el6.x86_64

Comment 8 Jenny Severance 2011-09-15 13:53:51 UTC

Now that dependent updated packages in RHEL 6.2,  seeing this, it is the same or different ? ...

Info: Searching AVC errors produced since 1316094012.45 (Thu Sep 15 09:40:12 2011)
Searching logs...
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 09/15/2011 09:40:12 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.Tz3Xv8 2>&1'
----
time->Thu Sep 15 09:40:18 2011
type=SYSCALL msg=audit(1316094018.032:245135): arch=c000003e syscall=2 success=no exit=-13 a0=f36b20 a1=2c1 a2=180 a3=65726373662f7274 items=0 ppid=26807 pid=31281 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5_child" exe="/usr/libexec/sssd/krb5_child" subj=unconfined_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1316094018.032:245135): avc:  denied  { write } for  pid=31281 comm="krb5_child" name="krb5rcache" dev=dm-0 ino=1704819 scontext=unconfined_u:system_r:sssd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=dir
----
time->Thu Sep 15 09:41:23 2011
type=SYSCALL msg=audit(1316094083.291:245140): arch=c000003e syscall=2 success=no exit=-13 a0=1a69860 a1=2c1 a2=180 a3=65726373662f7274 items=0 ppid=26807 pid=31812 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5_child" exe="/usr/libexec/sssd/krb5_child" subj=unconfined_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1316094083.291:245140): avc:  denied  { write } for  pid=31812 comm="krb5_child" name="krb5rcache" dev=dm-0 ino=1704819 scontext=unconfined_u:system_r:sssd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=dir
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.Tz3Xv8 | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.w77E0j 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
Running 'rpm -q selinux-policy || true'
selinux-policy-3.7.19-110.el6.noarch

Comment 9 Daniel Walsh 2011-09-15 14:25:51 UTC

Miroslav we need to change 

kerberos_manage_host_rcache 

To use 

+               manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)


Needed in RHEL6, F14-16.

Comment 10 Miroslav Grepl 2011-09-15 14:32:56 UTC

Added.

Comment 11 Jenny Severance 2011-09-15 14:39:27 UTC

Thanks!!

Comment 12 Rob Crittenden 2011-09-15 15:13:33 UTC

Jenny, those are from sssd but glad they are taken care of.

I've reproduced this. It is the strangest thing. A restorecon sets the proper
context but I'm not sure why it isn't getting set in the rpm post.

# ls -lZ /usr/sbin/ipa_kpasswd 
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/ipa_kpasswd
# restorecon /usr/sbin/ipa_kpasswd 
# ls -lZ /usr/sbin/ipa_kpasswd 
-rwxr-xr-x. root root system_u:object_r:ipa_kpasswd_exec_t:s0 /usr/sbin/ipa_kpasswd

Comment 13 Rob Crittenden 2011-09-15 15:18:14 UTC

This is happening in Fedora 15 as well. I guess we missed it because we aren't seeing any AVCs as a result.

Dan, Karl MacMillan set up pre/post install scripts for our selinux modules many moons ago. Are these still valid?

%pre server-selinux
if [ -s /etc/selinux/config ]; then
       . %{_sysconfdir}/selinux/config
       FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
       if [ "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT} ]; then \
               cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}
       fi
fi

%post server-selinux
semodule -s targeted -i /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp /usr/share/selinux/targeted/ipa_dogtag.pp
. %{_sysconfdir}/selinux/config
FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
selinuxenabled
if [ $? == 0  -a "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT}.%{name} ]; then
       fixfiles -C ${FILE_CONTEXT}.%{name} restore
       rm -f ${FILE_CONTEXT}.%name
fi

Comment 14 Daniel Walsh 2011-09-15 15:26:58 UTC

Yes those look correct.

So the fixfiles is not working?

Comment 15 Rob Crittenden 2011-09-15 17:51:56 UTC

I think I figured out what is wrong.

Here I am installing the bits on F-15 from a git build:

# rpm -Uvh dist/rpms/*
Preparing...                ########################################### [100%]
   1:freeipa-python         ########################################### [ 20%]
   2:freeipa-client         ########################################### [ 40%]
   3:freeipa-admintools     ########################################### [ 60%]
   4:freeipa-server-selinux ########################################### [ 80%]
   5:freeipa-server         ########################################### [100%]

Our postinstall script makes a copy of file_contents to know what to fix. If the selinux package is getting installing before the server package then anything defined in server isn't getting the right context.

We currently have this in the server subpackage:

Requires(post): %{name}-server-selinux = %{version}-%{release}

I removed this and added this in the server-selinux subpackage:

Requires(post): %{name}-server = %{version}-%{release}

That seems to have done the trick, freeipa-server-selinux installed last.

Not sure what changed that broke this, or when.

Comment 16 Rob Crittenden 2011-09-16 20:52:08 UTC

Fixed upstream: 

master: 80a4db80bab167ef805056a44138d2449e0fc465

ipa-2-1: 5a778d4def66a338e574d4ca3825e3a247032f3a

Comment 20 Martin Kosek 2011-11-01 12:01:10 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Do not document

Comment 21 Gowrishankar Rajaiyan 2011-11-07 05:50:51 UTC

# yum install ipa-server
<snip>
  Installing : mod_wsgi-3.2-1.el6.x86_64                                       118/120 
  Installing : ipa-server-2.1.3-8.el6.x86_64                                   119/120 
  Installing : ipa-server-selinux-2.1.3-8.el6.x86_64                           120/120 
</snip>

[root@hp-dl580g5-01 ~]# ls -lZ /usr/sbin/ipa_kpasswd 
-rwxr-xr-x. root root system_u:object_r:ipa_kpasswd_exec_t:s0 /usr/sbin/ipa_kpasswd
[root@hp-dl580g5-01 ~]# 

No more ipa issues found in sectool scan.


# rpm -qi ipa-server | head
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 8.el6                         Build Date: Tue 01 Nov 2011 05:51:27 PM EDT
Install Date: Mon 07 Nov 2011 12:21:33 AM EST      Build Host: x86-012.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-8.el6.src.rpm
Size        : 3381421                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
[root@hp-dl580g5-01 ~]#

Comment 22 errata-xmlrpc 2011-12-06 18:31:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html

Note You need to log in before you can comment on or make changes to this bug.