796351 – AVC when dirsrv attempts to run prelink with NSS db in FIPS mode

Bug 796351 - AVC when dirsrv attempts to run prelink with NSS db in FIPS mode

Summary: AVC when dirsrv attempts to run prelink with NSS db in FIPS mode

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.3
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:	746017
Blocks:	796423
TreeView+	depends on / blocked

Reported:	2012-02-22 17:56 UTC by Rich Megginson
Modified:	2015-02-18 16:26 UTC (History)
CC List:	10 users (show)
Fixed In Version:	selinux-policy-3.7.19-138.el6
Doc Type:	Bug Fix
Doc Text:	Previously, SELinux received deny AVC messages if the dirsrv utility executed the "modutil -dbdir /etc/dirsrv/slapd-instname -fips" command to enable FIPS mode in an NSS (Network Security Service) key/cert database. This happened because the NSS_Initialize() function attempted to use prelink which uses the dirsrv_t context. With this update, prelink with the dirsrv_t context is allowed to relabel its own temporary files under these circumstances and the problem no longer occurs.
Clone Of:	746017
Environment:
Last Closed:	2012-06-20 12:31:36 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0780	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2012-06-19 20:34:59 UTC

Description Rich Megginson 2012-02-22 17:56:28 UTC

+++ This bug was initially created as a clone of Bug #746017 +++

Created attachment 528064 [details]
AVC and SYSCALL messages

If dirsrv uses
modutil -dbdir /etc/dirsrv/slapd-instname -fips true
to enable FIPS mode in the NSS key/cert db, we get AVC messages because NSS_Initialize attempts to use prelink.

--- Additional comment from nkinder on 2011-10-13 13:17:34 EDT ---

I believe that we just need to add the following to the dirsrv policy:

prelink_exec(dirsrv_t);

We will test this to see if anything else is required.

--- Additional comment from rmeggins on 2011-10-13 15:36:14 EDT ---

Created attachment 528089 [details]
after loading new policy

I did the following on F-15:
1) create a file dirsrv-prelink.te with the following contents:
policy_module(dirsrv-prelink,1.0.0)

require {
    type dirsrv_t;
}

prelink_exec(dirsrv_t);

2) make -f /usr/share/selinux/devel/Makefile
3) semodule -i dirsrv-prelink.pp

After restarting dirsrv, I got the attached AVCs

--- Additional comment from rmeggins on 2011-10-13 15:37:17 EDT ---

Created attachment 528094 [details]
after running restorecon /usr/sbin/ns-slapd

Then I ran restorecon /usr/sbin/ns-slapd, and I got the attached AVC

--- Additional comment from nkinder on 2011-10-13 18:36:50 EDT ---

(In reply to comment #2)
> Created attachment 528089 [details]
> after loading new policy
> 
> I did the following on F-15:
> 1) create a file dirsrv-prelink.te with the following contents:
> policy_module(dirsrv-prelink,1.0.0)
> 
> require {
>     type dirsrv_t;
> }
> 
> prelink_exec(dirsrv_t);
> 
> 2) make -f /usr/share/selinux/devel/Makefile
> 3) semodule -i dirsrv-prelink.pp
> 
> After restarting dirsrv, I got the attached AVCs

Perhaps we should use 'prelink_domtrans(dirsrv_t)' instead of 'prelink_exec(dirsrv_t)'.  This will make prelink run in it's own context instead of using the dirsrv_t context.  Could you try changing the policy module and testing with the prelink_domtrans macro?

--- Additional comment from rmeggins on 2011-10-13 18:52:12 EDT ---

(In reply to comment #4)
> (In reply to comment #2)
> > Created attachment 528089 [details]
> > after loading new policy
> > 
> > I did the following on F-15:
> > 1) create a file dirsrv-prelink.te with the following contents:
> > policy_module(dirsrv-prelink,1.0.0)
> > 
> > require {
> >     type dirsrv_t;
> > }
> > 
> > prelink_exec(dirsrv_t);
> > 
> > 2) make -f /usr/share/selinux/devel/Makefile
> > 3) semodule -i dirsrv-prelink.pp
> > 
> > After restarting dirsrv, I got the attached AVCs
> 
> Perhaps we should use 'prelink_domtrans(dirsrv_t)' instead of
> 'prelink_exec(dirsrv_t)'.  This will make prelink run in it's own context
> instead of using the dirsrv_t context.  Could you try changing the policy
> module and testing with the prelink_domtrans macro?

Yep, changing prelink_exec to prelink_domtrans in the above worked.  No messages, no AVCs, in Permissive and in Enforcing mode.

--- Additional comment from mgrepl on 2011-10-14 08:10:10 EDT ---

Well, this is not something what we want to allow by default.

Dan,
AFAIK we had the similar bug.

--- Additional comment from dwalsh on 2011-10-14 08:56:11 EDT ---

I would prefer not to transition to prelink and allow the relabel for the current domain.  prelink is a pretty powerfull domain, since it can read and write binaries.  If you could somehow fool prelink you could take a system over.  Allowing relabelto and relabelfrom types that you can read/write, I do not think is a problem.

--- Additional comment from mgrepl on 2011-10-21 05:47:13 EDT ---

Fixed in selinux-policy-3.9.16-44.fc15

Comment 1 Rich Megginson 2012-02-22 17:58:05 UTC

Due to the nss rebase to 3.13 in RHEL 6, this bug will now affect RHEL 6.2.z.  Therefore this issue MUST BE FIXED IN RHEL6.2.Z or 389-ds-base will break in FIPS mode.

The NSS rebase bug for 6.2.z - https://bugzilla.redhat.com/show_bug.cgi?id=744070

Comment 2 Elio Maldonado Batiz 2012-02-22 19:45:48 UTC

cloned for rhel-6.2.z as https://bugzilla.redhat.com/show_bug.cgi?id=744072
Wrapping up testing on the nss update.

Comment 4 Miroslav Grepl 2012-02-22 20:30:03 UTC

Fixed in selinux-policy-3.7.19-138.el6

Comment 6 Miroslav Svoboda 2012-02-24 14:28:19 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, SELinux received deny AVC messages if the dirsrv utility executed the "modutil -dbdir /etc/dirsrv/slapd-instname -fips" command to enable FIPS mode in an NSS (Network Security Service) key/cert database. This happened because the NSS_Initialize() function attempted to use prelink which uses the dirsrv_t context. With this update, prelink with the dirsrv_t context is allowed to relabel its own temporary files under these circumstances and the problem no longer occurs.

Comment 10 errata-xmlrpc 2012-06-20 12:31:36 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html

Note You need to log in before you can comment on or make changes to this bug.