This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 739708 - pki-selinux lacks rules in F16
pki-selinux lacks rules in F16
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: pki-selinux (Show other bugs)
16
x86_64 Linux
unspecified Severity urgent
: ---
: ---
Assigned To: Ade Lee
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 699785
  Show dependency treegraph
 
Reported: 2011-09-19 16:09 EDT by Alexander Bokovoy
Modified: 2013-02-13 21:48 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-13 21:48:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
patch to fix (909 bytes, patch)
2011-09-26 11:38 EDT, Ade Lee
mharmsen: review+
Details | Diff

  None (edit)
Description Alexander Bokovoy 2011-09-19 16:09:41 EDT
Description of problem:
When trying to run pkicreate and pkisilent in SELinux enforcing mode, absence of following rules is causing AVC denials.

# ===========================================================
require {
        type pki_ca_t;
       	type unreserved_port_t;
       	class tcp_socket name_connect;
}

#============= pki_ca_t ==============
allow pki_ca_t unreserved_port_t:tcp_socket name_connect;
corenet_tcp_connect_ldap_port(pki_ca_t)
dev_read_sysfs(pki_ca_t)
# ===========================================================
Comment 1 Alexander Bokovoy 2011-09-19 16:10:33 EDT
Assigning to Ade per request.
Comment 2 Ade Lee 2011-09-26 11:38:15 EDT
Created attachment 524930 [details]
patch to fix

This patch adds two of the three rules.  

The remaining one:
allow pki_ca_t unreserved_port_t:tcp_socket name_connect;

is still under investigation.  I have no idea why tomcat would be trying to connect to an ephemeral port (and I have not been able to reproduce on my system).  As far as I can tell, this happens on startup on Alexander's system -- but it does not affect the startup of the server.
Comment 3 Ade Lee 2011-09-27 14:08:21 EDT
vakwetu@goofy-vm10 selinux]$ svn ci -m "Resolves #739708 - pki-selinux lacks rules in F16" 
Sending        selinux/src/pki.if
Sending        selinux/src/pki.te
Transmitting file data ..
Committed revision 2228.
Comment 4 Scott Poore 2012-01-03 21:19:45 EST
Any update on looking into the unreserved_port_t one?   

I'm still seeing this with this version:

pki-selinux-9.0.16-1.fc16.noarch

This is how I tested (after seeing this error on an IPA server install:

# mkdir /etc/pki-avc-denial-test
# mkdir /var/log/pki-avc-denial-test
# pkicreate -pki_instance_root /var/lib \
> -pki_instance_name pki-avc-denial-test \
> -subsystem_type ca \
> -agent_secure_port 9443 \
> -ee_secure_port 9444 \
> -admin_secure_port 9445 \
> -ee_secure_client_auth_port 9446 \
> -unsecure_port 9180 \
> -tomcat_server_port 9701 \
> -redirect conf=/etc/pki-avc-denial-test \
> -redirect logs=/var/log/pki-avc-denial-test \
> -enable_proxy

This is what I saw from ausearch:

# /usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 01/03/2012 21:14
----
time->Tue Jan  3 21:14:41 2012
type=SYSCALL msg=audit(1325643281.445:390): arch=c000003e syscall=42 success=no exit=-13 a0=29 a1=7f94fcd3c680 a2=1c a3=7f94fcd3c410 items=0 ppid=1 pid=20400 auid=4294967295 uid=997 gid=993 euid=997 suid=997 fsuid=997 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=system_u:system_r:pki_ca_t:s0 key=(null)
type=AVC msg=audit(1325643281.445:390): avc:  denied  { name_connect } for  pid=20400 comm="java" dest=59912 scontext=system_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket

Thanks,
Scott
Comment 5 Alexander Murashkin 2012-03-13 04:48:38 EDT
I think, I have a similar problem when trying to start FreeIPA. It seems that pki-ca tries to send LDAP request to some ephemeral port

pki-ca-9.0.17-1.fc16.noarch
pki-selinux-9.0.17-1.fc16.noarch
freeipa-server-2.1.4-5.fc16.x86_64
freeipa-client-2.1.4-5.fc16.x86_64
freeipa-python-2.1.4-5.fc16.x86_64
freeipa-server-selinux-2.1.4-5.fc16.x86_64
freeipa-admintools-2.1.4-5.fc16.x86_64


------- audit2allow produces the following --------------

module freeipa_local 1.0;

require {
        type ephemeral_port_t;
        type pki_ca_t;
        class tcp_socket name_connect;
}

#============= pki_ca_t ==============
allow pki_ca_t ephemeral_port_t:tcp_socket name_connect;

-------------------- Here is sealert output --------------------

# sealert -l d3154919-f39c-4327-be50-01c29982f6ef
SELinux is preventing /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java from name_connect access on the None .

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that java should be allowed name_connect access on the  <Unknown> by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep java /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:pki_ca_t:s0
Target Context                system_u:object_r:ephemeral_port_t:s0
Target Objects                 [ None ]
Source                        java
Source Path                   /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre
                              /bin/java
Port                          56744
Host                          tiger.castle.aimk.com
Source RPM Packages           java-1.6.0-openjdk-1.6.0.0-65.1.11.1.fc16.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-75.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     tiger.castle.aimk.com
Platform                      Linux tiger.castle.aimk.com 3.2.7-1.fc16.x86_64
                              #1 SMP Tue Feb 21 01:40:47 UTC 2012 x86_64 x86_64
Alert Count                   8
First Seen                    Tue 13 Mar 2012 02:14:03 AM CDT
Last Seen                     Tue 13 Mar 2012 03:40:32 AM CDT
Local ID                      d3154919-f39c-4327-be50-01c29982f6ef

Raw Audit Messages
type=AVC msg=audit(1331628032.187:735): avc:  denied  { name_connect } for  pid=12699 comm="java" dest=56744 scontext=system_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socketnode=raptor.castle.aimk.com type=SYSCALL msg=audit(1331628032.187:735): arch=c000003e syscall=42 success=no exit=-13 a0=29 a1=7f9310ef4680 a2=1c a3=7f9310ef4410 items=0 ppid=1 pid=12699 auid=4294967295 uid=484 gid=304 euid=484 suid=484 fsuid=484 egid=304 sgid=304 fsgid=304 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=system_u:system_r:pki_ca_t:s0 key=(null)


Hash: java,pki_ca_t,ephemeral_port_t,None,name_connect

audit2allow


audit2allow -R


The failed java process was probably started by the following one

pkiuser   7989     1  0 02:14 ?        00:00:01 /usr/lib/jvm/jre/bin/java -classpath :/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/var/lib/pki-ca -Dcatalina.home=/usr/share/tomcat6 -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat6/temp -Djava.util.logging.config.file=/var/lib/pki-ca/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start

--- related records from /var/log/pki-ca/catalina.out ---

INFO: Starting Servlet Engine: Apache Tomcat/6.0.32
Mar 13, 2012 3:20:34 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory ca
64-bit osutil library loaded
64-bit osutil library loaded
CMS Warning: FAILURE: Operation Error - netscape.ldap.LDAPException: error result (32); matchedDN = o=ipaca|FAILURE: Null response control|FAILURE: Operation Error - netscape.ldap.LDAPException: error result (32); matchedDN = o=ipaca|FAILURE: Null response control|FAILURE: Operation Error - netscape.ldap.LDAPException: error result (32); matchedDN = o=ipaca|FAILURE: Null response control|FAILURE: CRLIssuingPoint MasterCRL - Cannot create or store the first CRL in the internaldb. The internaldb could be down. Error LDAP operation failure - cn=MasterCRL,ou=crlIssuingPoints, ou=ca, o=ipaca netscape.ldap.LDAPException: error result (32); matchedDN = o=ipaca|
Server is started.

-- related records from /var/log/pki-ca/debug ---

[13/Mar/2012:03:20:35][CertStatusUpdateThread]: returnConn: mNumConns now 1
[13/Mar/2012:03:20:35][CertStatusUpdateThread]: returnConn: mNumConns now 2
[13/Mar/2012:03:20:35][main]: RequestRepository:  getPublishingStatus:  Error: Record not found
java.lang.Exception: Debug
        at com.netscape.cmscore.util.Debug.printStackTrace(Debug.java:227)
        at com.netscape.cmscore.apps.CMSEngine.debugStackTrace(CMSEngine.java:1194)
        at com.netscape.certsrv.apps.CMS.debugStackTrace(CMS.java:394)
        at com.netscape.cmscore.request.RequestRepository.getPublishingStatus(RequestRepository.java:162)
        at com.netscape.cmscore.request.RequestQueue.getPublishingStatus(RequestQueue.java:606)
        at com.netscape.certsrv.request.ARequestNotifier.setPublishingQueue(ARequestNotifier.java:93)
        at com.netscape.cmscore.ldap.PublisherProcessor.startup(PublisherProcessor.java:427)
        at com.netscape.cmscore.ldap.PublisherProcessor.init(PublisherProcessor.java:355)
        at com.netscape.ca.CertificateAuthority.initPublish(CertificateAuthority.java:1412)
        at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:328)
        at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:859)
        at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:788)
        at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:312)
        at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
        at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
        at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
        at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
        at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
        at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4420)
        at org.apache.catalina.core.StandardContext.start(StandardContext.java:4733)
        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:799)
        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:779)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:601)
        at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1079)
        at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:1002)
        at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:506)
        at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1315)
        at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:324)
        at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1061)
        at org.apache.catalina.core.StandardHost.start(StandardHost.java:840)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
        at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463)
        at org.apache.catalina.core.StandardService.start(StandardService.java:525)
        at org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
[13/Mar/2012:03:20:35][CertStatusUpdateThread]: getEntries: exception netscape.ldap.LDAPException: error result (32); matchedDN = o=ipaca
[13/Mar/2012:03:20:35][main]: returnConn: mNumConns now 3
[13/Mar/2012:03:20:35][main]: RequestRepository:  obj is NOT instanceof RepositoryRecord
[13/Mar/2012:03:20:35][main]: RequestRepository:  getPublishingStatus  mBaseDN: ou=ca,ou=requests,o=ipaca  status: null
Comment 6 Fedora End Of Life 2013-01-16 20:31:15 EST
This message is a reminder that Fedora 16 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 16. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '16'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 16's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 16 is end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" and open it against that version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 7 Fedora End Of Life 2013-02-13 21:48:42 EST
Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.