Bug 851318 - RHEL5 ipa-client-install creates krb5.conf with incorrect selinux context
RHEL5 ipa-client-install creates krb5.conf with incorrect selinux context
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: ipa-client (Show other bugs)
5.9
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Rob Crittenden
IDM QE LIST
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-23 14:58 EDT by Scott Poore
Modified: 2013-10-08 02:35 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Known Issue
Doc Text:
Sometimes, the krb5.conf file contains incorrect SELinux context, namely, when the krb5.conf is not created by default, or the IPA client is installed, un-installed, or re-installed. AVC denials can therefore occur in such scenarios.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-08 02:35:39 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Scott Poore 2012-08-23 14:58:02 EDT
Description of problem:

AVC denials seen for sssd reading/writing krb5.conf.  Troubleshooting this, I found that the root cause was that ipa-client-install isn't specifically restoring the selinux if it creates /etc/krb5.conf from scratch.


Version-Release number of selected component (if applicable):
ipa-client-2.1.3-4.el5

How reproducible:
always

Steps to Reproduce:
1. <setup IPA server>
2. yum -y install ipa-client
3. rm /etc/krb5.conf
4. ipa-client-install -s --domain=$DOMAIN --realm=$RELM -p $ADMINID -w $ADMINPW -U --server=$MASTER
5. ausearch -m avc 
6. ls -lZ /etc/krb5.conf

Actual results:

5. Will see AVC denials for krb5.conf:

time->Wed Aug 22 22:02:15 2012
type=SYSCALL msg=audit(1345687335.209:160): arch=c000003e syscall=21 success=no exit=-13 a0=12a59bc0 a1=2 a2=2b4e67b81ba0 a3=0 items=0 ppid=26625 pid=26628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=root:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1345687335.209:160): avc:  denied  { write } for  pid=26628 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=4949267 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug 22 22:02:15 2012
type=SYSCALL msg=audit(1345687335.804:161): arch=c000003e syscall=21 success=no exit=-13 a0=1c60c3f0 a1=2 a2=0 a3=0 items=0 ppid=26628 pid=26640 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ldap_child" exe="/usr/libexec/sssd/ldap_child" subj=root:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1345687335.804:161): avc:  denied  { write } for  pid=26640 comm="ldap_child" name="krb5.conf" dev=dm-0 ino=4949267 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug 22 22:02:15 2012
type=SYSCALL msg=audit(1345687335.841:162): arch=c000003e syscall=21 success=no exit=-13 a0=136753d0 a1=2 a2=2b4e67b81ba0 a3=65726373662f7274 items=0 ppid=26625 pid=26628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=root:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1345687335.841:162): avc:  denied  { write } for  pid=26628 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=4949267 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug 22 22:02:15 2012
type=SYSCALL msg=audit(1345687335.842:163): arch=c000003e syscall=21 success=no exit=-13 a0=136753b0 a1=2 a2=2b4e67b81ba0 a3=65726373662f7274 items=0 ppid=26625 pid=26628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=root:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1345687335.842:163): avc:  denied  { write } for  pid=26628 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=4949267 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file

6. Will see etc_t instead of proper krb_conf_t for krb5.conf:

-rw-r--r--  root root root:object_r:etc_t              /etc/krb5.conf

Expected results:

creates /etc/krb5.conf with expected context:

[root@vm6 ipa-nis-integration]# restorecon /etc/krb5.conf
[root@vm6 ipa-nis-integration]# ls -lZ /etc/krb5.conf
-rw-r--r--  root root system_u:object_r:krb5_conf_t    /etc/krb5.conf


Additional info:
Comment 1 Dmitri Pal 2012-08-30 00:53:25 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3044
Comment 2 RHEL Product and Program Management 2012-08-30 16:47:04 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 3 RHEL Product and Program Management 2012-10-30 02:11:33 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 6 Martin Kosek 2013-10-07 06:26:46 EDT
Closing upstream ticket, this is not a problem in upstream FreeIPA.
Comment 8 Martin Kosek 2013-10-08 02:35:39 EDT
I am closing the ticket, it is a known issue of RHEL-5.x and was documented as such.

Note You need to log in before you can comment on or make changes to this bug.