Bug 737516 - ipa-server files with incorrect selinux context
Summary: ipa-server files with incorrect selinux context
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.2
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 743047
TreeView+ depends on / blocked
 
Reported: 2011-09-12 11:50 UTC by Karel Srot
Modified: 2015-01-04 23:51 UTC (History)
7 users (show)

Fixed In Version: ipa-2.1.1-2.el6
Doc Type: Bug Fix
Doc Text:
Do not document
Clone Of:
Environment:
Last Closed: 2011-12-06 18:31:12 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Karel Srot 2011-09-12 11:50:00 UTC
Description of problem:

from sectool scan after ipa-server installation:

Warning: Mislabeled directory '/var/cache/ipa/sessions' found. Labeled as 'system_u:object_r:var_t:s0', should be 'system_u:object_r:httpd_sys_content_t:s0'.
    Hint: File is not labeled as defined in configuration. See man restorecon.

    Warning: Mislabeled directory '/var/cache/ipa/kpasswd' found. Labeled as 'system_u:object_r:var_t:s0', should be 'system_u:object_r:ipa_kpasswd_ccache_t:s0'.
    Hint: File is not labeled as defined in configuration. See man restorecon.

    Warning: Mislabeled regular file '/usr/sbin/ipa_kpasswd' found. Labeled as 'system_u:object_r:bin_t:s0', should be 'system_u:object_r:ipa_kpasswd_exec_t:s0'.
    Hint: File is not labeled as defined in configuration. See man restorecon.



Version-Release number of selected component (if applicable):
Installed:
  ipa-server.i686 0:2.1.1-1.el6      

How reproducible:
always

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Dmitri Pal 2011-09-12 15:28:00 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1779

Comment 2 Rob Crittenden 2011-09-12 17:02:51 UTC
Can you provide the output of:

# semodule -l |grep ipa

Comment 3 Karel Srot 2011-09-13 11:14:30 UTC
Unfortunately I have already returned the server. 
On another one I can see just /usr/sbin/ipa_kpasswd, other two files are missing. The context is wrong, anyway.

# ls -Z /usr/sbin/ipa_kpasswd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/ipa_kpasswd
# semodule -l |grep ipa
ipa_dogtag	1.4	
ipa_httpd	1.2	
ipa_kpasswd	1.0

Comment 4 Rob Crittenden 2011-09-13 12:50:17 UTC
What is strange is that this should be covered by ipa_kpasswd.fc:

/usr/sbin/ipa_kpasswd           --      gen_context(system_u:object_r:ipa_kpasswd_exec_t,s0)

The module is inserted in %post with:

semodule -s targeted -i /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp /usr/share/selinux/targeted/ipa_dogtag.pp

Comment 6 Rob Crittenden 2011-09-14 20:49:29 UTC
I can't reproduce this, what version of selinux-policy do you have installed?

Comment 7 Karel Srot 2011-09-15 07:18:29 UTC
tested on RHEL6.2 alpha with selinux-policy-3.7.19-109.el6
same result with latest selinux-policy-3.7.19-110.el6.noarch

# yum -y install ipa-server &> /dev/null
# ls -Z /usr/sbin/ipa_kpasswd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/ipa_kpasswd
# rpm -q selinux-policy ipa-server
selinux-policy-3.7.19-110.el6.noarch
ipa-server-2.1.1-1.el6.x86_64

Comment 8 Jenny Galipeau 2011-09-15 13:53:51 UTC
Now that dependent updated packages in RHEL 6.2,  seeing this, it is the same or different ? ...

Info: Searching AVC errors produced since 1316094012.45 (Thu Sep 15 09:40:12 2011)
Searching logs...
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 09/15/2011 09:40:12 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.Tz3Xv8 2>&1'
----
time->Thu Sep 15 09:40:18 2011
type=SYSCALL msg=audit(1316094018.032:245135): arch=c000003e syscall=2 success=no exit=-13 a0=f36b20 a1=2c1 a2=180 a3=65726373662f7274 items=0 ppid=26807 pid=31281 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5_child" exe="/usr/libexec/sssd/krb5_child" subj=unconfined_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1316094018.032:245135): avc:  denied  { write } for  pid=31281 comm="krb5_child" name="krb5rcache" dev=dm-0 ino=1704819 scontext=unconfined_u:system_r:sssd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=dir
----
time->Thu Sep 15 09:41:23 2011
type=SYSCALL msg=audit(1316094083.291:245140): arch=c000003e syscall=2 success=no exit=-13 a0=1a69860 a1=2c1 a2=180 a3=65726373662f7274 items=0 ppid=26807 pid=31812 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5_child" exe="/usr/libexec/sssd/krb5_child" subj=unconfined_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1316094083.291:245140): avc:  denied  { write } for  pid=31812 comm="krb5_child" name="krb5rcache" dev=dm-0 ino=1704819 scontext=unconfined_u:system_r:sssd_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=dir
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.Tz3Xv8 | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.w77E0j 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
Running 'rpm -q selinux-policy || true'
selinux-policy-3.7.19-110.el6.noarch

Comment 9 Daniel Walsh 2011-09-15 14:25:51 UTC
Miroslav we need to change 

kerberos_manage_host_rcache 

To use 

+               manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)


Needed in RHEL6, F14-16.

Comment 10 Miroslav Grepl 2011-09-15 14:32:56 UTC
Added.

Comment 11 Jenny Galipeau 2011-09-15 14:39:27 UTC
Thanks!!

Comment 12 Rob Crittenden 2011-09-15 15:13:33 UTC
Jenny, those are from sssd but glad they are taken care of.

I've reproduced this. It is the strangest thing. A restorecon sets the proper
context but I'm not sure why it isn't getting set in the rpm post.

# ls -lZ /usr/sbin/ipa_kpasswd 
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/ipa_kpasswd
# restorecon /usr/sbin/ipa_kpasswd 
# ls -lZ /usr/sbin/ipa_kpasswd 
-rwxr-xr-x. root root system_u:object_r:ipa_kpasswd_exec_t:s0 /usr/sbin/ipa_kpasswd

Comment 13 Rob Crittenden 2011-09-15 15:18:14 UTC
This is happening in Fedora 15 as well. I guess we missed it because we aren't seeing any AVCs as a result.

Dan, Karl MacMillan set up pre/post install scripts for our selinux modules many moons ago. Are these still valid?

%pre server-selinux
if [ -s /etc/selinux/config ]; then
       . %{_sysconfdir}/selinux/config
       FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
       if [ "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT} ]; then \
               cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}
       fi
fi

%post server-selinux
semodule -s targeted -i /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp /usr/share/selinux/targeted/ipa_dogtag.pp
. %{_sysconfdir}/selinux/config
FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
selinuxenabled
if [ $? == 0  -a "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT}.%{name} ]; then
       fixfiles -C ${FILE_CONTEXT}.%{name} restore
       rm -f ${FILE_CONTEXT}.%name
fi

Comment 14 Daniel Walsh 2011-09-15 15:26:58 UTC
Yes those look correct.

So the fixfiles is not working?

Comment 15 Rob Crittenden 2011-09-15 17:51:56 UTC
I think I figured out what is wrong.

Here I am installing the bits on F-15 from a git build:

# rpm -Uvh dist/rpms/*
Preparing...                ########################################### [100%]
   1:freeipa-python         ########################################### [ 20%]
   2:freeipa-client         ########################################### [ 40%]
   3:freeipa-admintools     ########################################### [ 60%]
   4:freeipa-server-selinux ########################################### [ 80%]
   5:freeipa-server         ########################################### [100%]

Our postinstall script makes a copy of file_contents to know what to fix. If the selinux package is getting installing before the server package then anything defined in server isn't getting the right context.

We currently have this in the server subpackage:

Requires(post): %{name}-server-selinux = %{version}-%{release}

I removed this and added this in the server-selinux subpackage:

Requires(post): %{name}-server = %{version}-%{release}

That seems to have done the trick, freeipa-server-selinux installed last.

Not sure what changed that broke this, or when.

Comment 16 Rob Crittenden 2011-09-16 20:52:08 UTC
Fixed upstream: 

master: 80a4db80bab167ef805056a44138d2449e0fc465

ipa-2-1: 5a778d4def66a338e574d4ca3825e3a247032f3a

Comment 20 Martin Kosek 2011-11-01 12:01:10 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Do not document

Comment 21 Gowrishankar Rajaiyan 2011-11-07 05:50:51 UTC
# yum install ipa-server
<snip>
  Installing : mod_wsgi-3.2-1.el6.x86_64                                       118/120 
  Installing : ipa-server-2.1.3-8.el6.x86_64                                   119/120 
  Installing : ipa-server-selinux-2.1.3-8.el6.x86_64                           120/120 
</snip>

[root@hp-dl580g5-01 ~]# ls -lZ /usr/sbin/ipa_kpasswd 
-rwxr-xr-x. root root system_u:object_r:ipa_kpasswd_exec_t:s0 /usr/sbin/ipa_kpasswd
[root@hp-dl580g5-01 ~]# 

No more ipa issues found in sectool scan.


# rpm -qi ipa-server | head
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 8.el6                         Build Date: Tue 01 Nov 2011 05:51:27 PM EDT
Install Date: Mon 07 Nov 2011 12:21:33 AM EST      Build Host: x86-012.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-8.el6.src.rpm
Size        : 3381421                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
[root@hp-dl580g5-01 ~]#

Comment 22 errata-xmlrpc 2011-12-06 18:31:12 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html


Note You need to log in before you can comment on or make changes to this bug.