Bug 759679 - ipa_kpasswd does not work with selinux in enforcing mode
Summary: ipa_kpasswd does not work with selinux in enforcing mode
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: freeipa
Version: 16
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-12-03 03:12 UTC by Evgeny Sinelnikov
Modified: 2012-01-11 16:01 UTC (History)
11 users (show)

Fixed In Version: freeipa-2.1.3-8.fc16
Clone Of: 754072
Environment:
Last Closed: 2011-12-05 18:09:13 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
FedoraHosted FreeIPA 2160 0 None None None Never

Description Evgeny Sinelnikov 2011-12-03 03:12:32 UTC 
+++ This bug was initially created as a clone of Bug #754072 +++

Description of problem:
change password with kinit hangs if selinux in enforcing mode

Version-Release number of selected component (if applicable):
freeipa-server-2.1.3-5.fc16.x86_64

How reproducible:
Always with all current updates applied

Steps to Reproduce:
1. install default installation of fedora with setenforce enforcing
2. ipa-server-install
3. create new user and set password (ipa user-add; ipa passwd)
4. try to kinit with this user

$ kinit
Password for sin: 
Password expired.  You must change it now.
Enter new password: 
Enter it again:
 
Actual results:
# ps aux|grep kinit
sin      30622 98.2  0.1  47368  2864 pts/3    R+   06:20  45:19 kinit

Logs:

 /var/log/messages:
Dec  3 06:21:11 portal kpasswd[30623]: Unable to bind to ldap server
Dec  3 06:21:11 portal kernel: [1449787.689587] ipa_kpasswd[30623] general protection ip:7f4f3e815c64 sp:7ffff124ce88 error:0 in libc-2.14.90.so[7f4f3e795000+1aa000]

 /var/log/audit/audit.log:
type=AVC msg=audit(1322878871.063:79452): avc:  denied  { read } for  pid=30623 comm="ipa_kpasswd" name="urandom" dev=devtmpfs ino=1048 scontext=system_u:system_r:ipa_kpasswd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1322878871.063:79452): arch=c000003e syscall=2 success=no exit=-13 a0=7f4f3ed6ad06 a1=0 a2=0 a3=7ffff124d100 items=0 ppid=30591 pid=30623 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa_kpasswd" exe="/usr/sbin/ipa_kpasswd" subj=system_u:system_r:ipa_kpasswd_t:s0 key=(null)
type=AVC msg=audit(1322878871.092:79453): avc:  denied  { read } for  pid=30623 comm="ipa_kpasswd" name="urandom" dev=devtmpfs ino=1048 scontext=system_u:system_r:ipa_kpasswd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1322878871.092:79453): arch=c000003e syscall=2 success=no exit=-13 a0=7f4f3ed6ad06 a1=0 a2=0 a3=7ffff124aa70 items=0 ppid=30591 pid=30623 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa_kpasswd" exe="/usr/sbin/ipa_kpasswd" subj=system_u:system_r:ipa_kpasswd_t:s0 key=(null)
type=AVC msg=audit(1322878871.281:79454): avc:  denied  { name_connect } for  pid=30623 comm="ipa_kpasswd" dest=389 scontext=system_u:system_r:ipa_kpasswd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1322878871.281:79454): arch=c000003e syscall=42 success=no exit=-13 a0=9 a1=13929e0 a2=10 a3=7ffff124c780 items=0 ppid=30591 pid=30623 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa_kpasswd" exe="/usr/sbin/ipa_kpasswd" subj=system_u:system_r:ipa_kpasswd_t:s0 key=(null)
type=ANOM_ABEND msg=audit(1322878871.281:79455): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:ipa_kpasswd_t:s0 pid=30623 comm="ipa_kpasswd" sig=11

Expected results:
Password changed with ipa_kpasswd.

Additional info:

Looks like but with avc:
http://markmail.org/message/pr72uivxdcgrccec
Comment 1 Rob Crittenden 2011-12-03 05:26:33 UTC 
A temporary workaround is:

/usr/sbin/setsebool authlogin_nsswitch_use_ldap on

We have our own SELinux policy for ipa_kpasswd, not sure if we need to allow it to read /dev/urandom ourselves or if this should be changed in selinux-policy.
Comment 2 Evgeny Sinelnikov 2011-12-03 06:10:55 UTC 
Thanks, it's really  works.
But I'm already create updated selinux policy:
http://git.etersoft.ru/people/sin/packages/?p=freeipa.git;a=commitdiff;h=04137ed07936430bd6d0f4084465ec21082903a0
Comment 3 Alexander Bokovoy 2011-12-03 06:25:25 UTC 
There are few more avcs:
Dec  3 01:12:26 vm-047 systemd-logind[701]: New session 78 of user root.
Dec  3 01:12:30 vm-047 kernel: [212678.760809] type=1400 audit(1322892750.400:355): avc:  denied  { getattr } for  pid=2638 comm="krb5kdc" path="/etc/krb5.conf" dev=dm-0 ino=9992 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
Dec  3 01:13:06 vm-047 kernel: [212715.067845] type=1400 audit(1322892786.708:356): avc:  denied  { getattr } for  pid=2698 comm="httpd" path="/etc/krb5.conf" dev=dm-0 ino=9992 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
Dec  3 01:13:06 vm-047 kernel: [212715.067907] type=1400 audit(1322892786.708:357): avc:  denied  { read } for  pid=2698 comm="httpd" name="krb5.conf" dev=dm-0 ino=9992 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
Dec  3 01:13:06 vm-047 kernel: [212715.067936] type=1400 audit(1322892786.708:358): avc:  denied  { open } for  pid=2698 comm="httpd" name="krb5.conf" dev=dm-0 ino=9992 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
Dec  3 01:13:07 vm-047 kernel: [212715.359261] type=1400 audit(1322892786.999:359): avc:  denied  { read } for  pid=2579 comm="ns-slapd" name="krb5.conf" dev=dm-0 ino=9992 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
Dec  3 01:13:07 vm-047 kernel: [212715.359282] type=1400 audit(1322892786.999:360): avc:  denied  { getattr } for  pid=2579 comm="ns-slapd" path="/etc/krb5.conf" dev=dm-0 ino=9992 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
Dec  3 01:13:07 vm-047 kernel: [212715.359734] type=1400 audit(1322892786.999:361): avc:  denied  { open } for  pid=2579 comm="ns-slapd" name="hosts" dev=dm-0 ino=973 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
Dec  3 01:13:46 vm-047 kernel: [212755.082544] type=1400 audit(1322892826.722:362): avc:  denied  { getattr } for  pid=17540 comm="ipa_kpasswd" path="/etc/krb5.conf" dev=dm-0 ino=9992 scontext=system_u:system_r:ipa_kpasswd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
Dec  3 01:13:46 vm-047 kernel: [212755.082633] type=1400 audit(1322892826.722:363): avc:  denied  { read } for  pid=17540 comm="ipa_kpasswd" name="krb5.conf" dev=dm-0 ino=9992 scontext=system_u:system_r:ipa_kpasswd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
Dec  3 01:13:46 vm-047 kernel: [212755.082644] type=1400 audit(1322892826.722:364): avc:  denied  { open } for  pid=17540 comm="ipa_kpasswd" name="krb5.conf" dev=dm-0 ino=9992 scontext=system_u:system_r:ipa_kpasswd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
Dec  3 01:13:46 vm-047 kernel: [212755.083076] type=1400 audit(1322892826.723:365): avc:  denied  { read } for  pid=17540 comm="ipa_kpasswd" name="urandom" dev=devtmpfs ino=4278 scontext=system_u:system_r:ipa_kpasswd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Dec  3 01:13:46 vm-047 kernel: [212755.083088] type=1400 audit(1322892826.723:366): avc:  denied  { open } for  pid=17540 comm="ipa_kpasswd" name="urandom" dev=devtmpfs ino=4278 scontext=system_u:system_r:ipa_kpasswd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Dec  3 01:13:46 vm-047 kernel: [212755.083530] type=1400 audit(1322892826.723:367): avc:  denied  { getattr } for  pid=17540 comm="ipa_kpasswd" path="/dev/urandom" dev=devtmpfs ino=4278 scontext=system_u:system_r:ipa_kpasswd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Dec  3 01:13:46 vm-047 kernel: [212755.235948] type=1400 audit(1322892826.875:368): avc:  denied  { name_connect } for  pid=17540 comm="ipa_kpasswd" dest=389 scontext=system_u:system_r:ipa_kpasswd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket

Following rules are generated by audit2allow:
#============= dirsrv_t ==============
allow dirsrv_t file_t:file { read getattr open };

#============= httpd_t ==============
allow httpd_t file_t:file { read getattr open };

#============= ipa_kpasswd_t ==============
allow ipa_kpasswd_t file_t:file { read getattr open };
#!!!! This avc can be allowed using one of the these booleans:
#     authlogin_nsswitch_use_ldap, allow_ypbind

allow ipa_kpasswd_t ldap_port_t:tcp_socket name_connect;
#!!!! This avc can be allowed using one of the these booleans:
#     authlogin_nsswitch_use_ldap, global_ssp

allow ipa_kpasswd_t urandom_device_t:chr_file { read getattr open };

#============= krb5kdc_t ==============
allow krb5kdc_t file_t:file getattr;


httpd_t wanted to read /etc/krb5.conf, this is generated by mod_auth_kerb. Same with ns-slapd.

All this is with selinux-policy-3.10.0-61.fc16.noarch
Comment 4 Alexander Bokovoy 2011-12-03 06:26:29 UTC 
Evgeny, could you please add these rules as well and send patch to the list for review?
Comment 5 Evgeny Sinelnikov 2011-12-03 06:44:09 UTC 
Ok, but it be not so quickly (I must go now). And which list do you mean? freeipa-devel@, I think.

And some adjusts. Do we really need urandom rule you think? I don't understand where it needs yet.
Comment 6 Alexander Bokovoy 2011-12-03 07:22:44 UTC 
freeipa-devel@, yes. People who can review the patch will be back on Monday. Once reviewed and accepted, Rob or I can respin the update.

urandom access seems to be valid one for ipa_kpasswd as libkrb5 is providing  krb5_c_random_os_entropy that can access /dev/random or /dev/urandom. And it is called by krb5_init_context() used by ipa_kpasswd.
Comment 7 Daniel Walsh 2011-12-03 16:16:08 UTC 
file_t is a file that does not have an SELinux label, probably a file/dir created on a machine that was not running SELinux.

The best way to fix these is to run restorecon on the disk.

Allowing ipa_passwd access to /dev/urandom should be allowed.
Comment 8 Alexander Bokovoy 2011-12-03 16:30:00 UTC 
Good catch. 

Before restorecon /etc/krb5.conf, it had context system_u:object_r:file_t:s0. After I ran restorecon, the context became system_u:object_r:krb5_conf_t:s0.

As avcs show access to /etc/krb5.conf, it means it was modified without restoring security context. I'll check ipa-server-install/ipa-client-install to ensure we do restore security context properly.
Comment 9 Evgeny Sinelnikov 2011-12-05 00:35:03 UTC 
So, original patch with urandom, but without file_t:file, I prepare for review.
Comment 10 Rob Crittenden 2011-12-05 18:09:13 UTC 
Fixed upstream:

master 89d9ad428cf48a3aac55173ecf074e0a234a5ee5
Comment 11 Fedora Update System 2011-12-05 18:11:02 UTC 
freeipa-2.1.3-8.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/freeipa-2.1.3-8.fc16
Comment 12 Fedora Update System 2011-12-06 18:38:03 UTC 
freeipa-2.1.4-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/freeipa-2.1.4-1.fc16
Comment 13 Fedora Update System 2011-12-06 18:38:13 UTC 
freeipa-2.1.4-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/freeipa-2.1.4-1.fc15
Comment 14 Fedora Update System 2011-12-11 19:28:39 UTC 
freeipa-2.1.4-2.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/freeipa-2.1.4-2.fc16
Comment 15 Fedora Update System 2011-12-22 22:45:34 UTC 
freeipa-2.1.4-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2012-01-11 16:01:43 UTC 
freeipa-2.1.4-3.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/freeipa-2.1.4-3.fc15
Note You need to log in before you can comment on or make changes to this bug.