783592 – need SELinux policy for ipa_memcached service

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 783592 - need SELinux policy for ipa_memcached service

Summary: need SELinux policy for ipa_memcached service

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	784549 798492
TreeView+	depends on / blocked

Reported:	2012-01-20 23:33 UTC by Dmitri Pal
Modified:	2012-06-20 12:30 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.7.19-137.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	784549 798492 (view as bug list)
Environment:
Last Closed:	2012-06-20 12:30:38 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0780	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2012-06-19 20:34:59 UTC

Description Dmitri Pal 2012-01-20 23:33:05 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2298

We currently have to run in permissive mode with the new session stuff. At a minimum we need to allow memcached to create a UNIX socket file in /var/run/ipa_memcached. We get this AVC otherwise:

type=AVC msg=audit(1327101214.892:696): avc:  denied  { create } for  pid=17659 comm="memcached" name="ipa_memcached" scontext=system_u:system_r:memcached_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file

We may have other SELinux denials to address as well, the development work has been done with SELinux in permissive mode.

Comment 1 Miroslav Grepl 2012-01-23 13:05:36 UTC

I added fixes to Fedora which will backport.

The better solution would be have this socket in /var/run/memcached directory.

Comment 4 Rob Crittenden 2012-01-25 13:17:31 UTC

In permissive mode I also see these AVCs (in addition to the reported create error).

type=AVC msg=audit(1327444951.719:40211): avc:  denied  { connectto } for  pid=26475 comm="httpd" path="/var/run/ipa_memcached/ipa_memcached" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=AVC msg=audit(1327445682.171:40216): avc:  denied  { getattr } for  pid=26664 comm="memcached" path="/var/run/ipa_memcached/ipa_memcached" dev=tmpfs ino=4186808 scontext=system_u:system_r:memcached_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1327445682.181:40218): avc:  denied  { unlink } for  pid=26664 comm="memcached" name="ipa_memcached" dev=tmpfs ino=4186808 scontext=system_u:system_r:memcached_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file

Comment 5 Miroslav Grepl 2012-01-25 15:02:00 UTC

what does 

# rpm -qf /var/run/ipa_memcached

Comment 6 Rob Crittenden 2012-01-25 16:35:44 UTC

It is provided by our freeipa-server package (upstream only)

Comment 7 Rob Crittenden 2012-01-25 16:36:45 UTC

I should add that we haven't committed this upstream yet, the patch is still under review, but the SELinux issues are unrelated to acceptance.

Comment 8 Miroslav Grepl 2012-01-25 16:45:59 UTC

Rob,
could you try to test the latest selinux-policy from brew?

Comment 9 Daniel Walsh 2012-01-25 20:59:53 UTC

Is there a reason for using this directory rather then /var/run/memcached?

Comment 10 John Dennis 2012-01-25 23:09:24 UTC

re comment #9, Yes, there is a reason we use a different directory. We do not want to share the memcached instance with the system default. Our ipa_memcached instance contains sensitive (authentication) information in it. We want to be able to lock down this instance so that only IPA can access it.

We have two avenues for locking down our exclusive instance.

1) standard UNIX permissions on the memcached UNIX socket. During our initial testing that is the apache user because our server processes run as the apache user. We currently do not have an ipa system user id, but we are contemplating adding that and running our processes as that user.

2) Anything SELinux policy can do to further protect this instance.

Note, the /var/run/ipa_memcached directory is currently being used to store 3 types of files

1) The memcached UNIX socket.

2) The memcached pid file

3) Kerberos ccache files associated with sessions stored in the memcached instance.

Comment 11 Daniel Walsh 2012-01-26 22:23:56 UTC

Well the best thing to do from an SELinux point of view would be tun the ipa_memcached with a different context then the system memcached, or state that you should not run a memcached on a system running IPA.

But I guess you are going to be wanting to run multiple httpd servers also?  John, it might be better that we discuss this outside a bugzilla...

Comment 12 John Dennis 2012-02-14 20:34:23 UTC

When Dan and I last spoke a couple of weeks ago he said was going to add any necessary policy to allow Apache to create/read/write file into the /var/run/ipa_memcached directory as well as allowing the socket creation. Then these policy changes were also going to be added into all current Fedora releases as well as RHEL6.

We haven't heard anything since then and we were wondering what the status of the policy updates is? When might we see them?

Comment 13 Daniel Walsh 2012-02-14 20:38:39 UTC

They have gone into rawhide, although does not look like they have been back ported yet. Miroslav?

Comment 14 Miroslav Grepl 2012-02-15 13:17:45 UTC

It was backported

--

optional_policy(`
    memcached_stream_connect(httpd_t)

+    tunable_policy(`httpd_manage_ipa',`
+        memcached_manage_pid_files(httpd_t)
+        ')
')

--

but I need to do a new build.

Comment 15 Miroslav Grepl 2012-02-15 15:21:30 UTC

I am going to do a new build today.

Comment 16 Miroslav Grepl 2012-02-16 09:33:40 UTC

Fixed in selinux-policy-3.7.19-137.el6

Comment 18 John Dennis 2012-02-23 13:55:28 UTC

This is still not working in selinux-policy-3.7.19-137.el6, the apache process cannot create/write/read a file in /var/run/ipa_memcached. We get this AVC:

type=AVC msg=audit(1330004551.948:144): avc:  denied  { write } for  pid=1574 comm="httpd" name="ipa_memcached" dev=dm-1 ino=14939 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcached\
_var_run_t:s0 tclass=dir

This occurs when we execute this python code:

dst = open(session_krbccache_pathname, 'w')
IOError: [Errno 13] Permission denied: '/var/run/ipa_memcached/krbcc_069d9d7d6213'

Comment 19 Miroslav Grepl 2012-02-23 13:59:16 UTC

Is the httpd_manage_ipa boolean enabled?

Comment 21 Miroslav Grepl 2012-02-23 14:06:16 UTC

I have found a bug in an interface.

Comment 22 John Dennis 2012-02-23 14:30:22 UTC

no, the httpd_manage_ipa boolean had not been set, after enabling it things appear to be working. Thank you.

Comment 23 Miroslav Grepl 2012-02-23 14:39:54 UTC

Great.

Comment 25 Jenny Severance 2012-03-06 14:18:16 UTC

Still getting AVCs

versions:
ipa-server-2.2.0-2.el6.x86_64
selinux-policy-3.7.19-138.el6.noarch
pki-selinux-9.0.3-21.el6.noarch
ipa-server-selinux-2.2.0-2.el6.x86_64
selinux-policy-targeted-3.7.19-138.el6.noarch


AUDIT LOG ::

# cat /var/log/audit/audit.log | audit2allow


#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_manage_ipa'

allow httpd_t memcached_var_run_t:dir write;


HTTPD LOG :: 

[Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220] mod_wsgi (pid=1558): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220] Traceback (most recent call last):
[Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220]   File "/usr/share/ipa/wsgi.py", line 48, in application
[Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220]     return api.Backend.session(environ, start_response)
[Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220]   File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 148, in __call__
[Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220]     return self.route(environ, start_response)
[Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220]   File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 160, in route
[Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220]     return app(environ, start_response)
[Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220]   File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 521, in __call__
[Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220]     krbccache_pathname = store_krbccache_file(ccache_data)
[Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220]   File "/usr/lib/python2.6/site-packages/ipalib/session.py", line 1080, in store_krbccache_file
[Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220]     dst = open(krbccache_pathname, 'w')
[Tue Mar 06 09:09:36 2012] [error] [client 10.16.187.220] IOError: [Errno 13] Permission denied: '/var/run/ipa_memcached/krbcc_1558'
[Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220] mod_wsgi (pid=1557): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220] Traceback (most recent call last):
[Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220]   File "/usr/share/ipa/wsgi.py", line 48, in application
[Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220]     return api.Backend.session(environ, start_response)
[Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220]   File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 148, in __call__
[Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220]     return self.route(environ, start_response)
[Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220]   File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 160, in route
[Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220]     return app(environ, start_response)
[Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220]   File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 521, in __call__
[Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220]     krbccache_pathname = store_krbccache_file(ccache_data)
[Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220]   File "/usr/lib/python2.6/site-packages/ipalib/session.py", line 1080, in store_krbccache_file
[Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220]     dst = open(krbccache_pathname, 'w')
[Tue Mar 06 09:09:38 2012] [error] [client 10.16.187.220] IOError: [Errno 13] Permission denied: '/var/run/ipa_memcached/krbcc_1557'

Comment 26 John Dennis 2012-03-06 15:09:09 UTC

re comment #25, I believe the problem is not with the policy but rather with the fact we haven't enabled the SELinux boolean. I thought there was a ticket open to enable the boolean but a very quick check does not show it.

Comment 27 Miroslav Grepl 2012-03-07 07:02:18 UTC

Yes, audit2allow also says


#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_manage_ipa'

allow httpd_t memcached_var_run_t:dir write;

Comment 29 errata-xmlrpc 2012-06-20 12:30:38 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html

Note You need to log in before you can comment on or make changes to this bug.