Bug 851318 - RHEL5 ipa-client-install creates krb5.conf with incorrect selinux context
Summary: RHEL5 ipa-client-install creates krb5.conf with incorrect selinux context
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: ipa-client
Version: 5.9
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-08-23 18:58 UTC by Scott Poore
Modified: 2013-10-08 06:35 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
Sometimes, the krb5.conf file contains incorrect SELinux context, namely, when the krb5.conf is not created by default, or the IPA client is installed, un-installed, or re-installed. AVC denials can therefore occur in such scenarios.
Clone Of:
Environment:
Last Closed: 2013-10-08 06:35:39 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Scott Poore 2012-08-23 18:58:02 UTC
Description of problem:

AVC denials seen for sssd reading/writing krb5.conf.  Troubleshooting this, I found that the root cause was that ipa-client-install isn't specifically restoring the selinux if it creates /etc/krb5.conf from scratch.


Version-Release number of selected component (if applicable):
ipa-client-2.1.3-4.el5

How reproducible:
always

Steps to Reproduce:
1. <setup IPA server>
2. yum -y install ipa-client
3. rm /etc/krb5.conf
4. ipa-client-install -s --domain=$DOMAIN --realm=$RELM -p $ADMINID -w $ADMINPW -U --server=$MASTER
5. ausearch -m avc 
6. ls -lZ /etc/krb5.conf

Actual results:

5. Will see AVC denials for krb5.conf:

time->Wed Aug 22 22:02:15 2012
type=SYSCALL msg=audit(1345687335.209:160): arch=c000003e syscall=21 success=no exit=-13 a0=12a59bc0 a1=2 a2=2b4e67b81ba0 a3=0 items=0 ppid=26625 pid=26628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=root:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1345687335.209:160): avc:  denied  { write } for  pid=26628 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=4949267 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug 22 22:02:15 2012
type=SYSCALL msg=audit(1345687335.804:161): arch=c000003e syscall=21 success=no exit=-13 a0=1c60c3f0 a1=2 a2=0 a3=0 items=0 ppid=26628 pid=26640 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ldap_child" exe="/usr/libexec/sssd/ldap_child" subj=root:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1345687335.804:161): avc:  denied  { write } for  pid=26640 comm="ldap_child" name="krb5.conf" dev=dm-0 ino=4949267 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug 22 22:02:15 2012
type=SYSCALL msg=audit(1345687335.841:162): arch=c000003e syscall=21 success=no exit=-13 a0=136753d0 a1=2 a2=2b4e67b81ba0 a3=65726373662f7274 items=0 ppid=26625 pid=26628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=root:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1345687335.841:162): avc:  denied  { write } for  pid=26628 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=4949267 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug 22 22:02:15 2012
type=SYSCALL msg=audit(1345687335.842:163): arch=c000003e syscall=21 success=no exit=-13 a0=136753b0 a1=2 a2=2b4e67b81ba0 a3=65726373662f7274 items=0 ppid=26625 pid=26628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=root:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1345687335.842:163): avc:  denied  { write } for  pid=26628 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=4949267 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file

6. Will see etc_t instead of proper krb_conf_t for krb5.conf:

-rw-r--r--  root root root:object_r:etc_t              /etc/krb5.conf

Expected results:

creates /etc/krb5.conf with expected context:

[root@vm6 ipa-nis-integration]# restorecon /etc/krb5.conf
[root@vm6 ipa-nis-integration]# ls -lZ /etc/krb5.conf
-rw-r--r--  root root system_u:object_r:krb5_conf_t    /etc/krb5.conf


Additional info:

Comment 1 Dmitri Pal 2012-08-30 04:53:25 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3044

Comment 2 RHEL Program Management 2012-08-30 20:47:04 UTC
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 3 RHEL Program Management 2012-10-30 06:11:33 UTC
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 6 Martin Kosek 2013-10-07 10:26:46 UTC
Closing upstream ticket, this is not a problem in upstream FreeIPA.

Comment 8 Martin Kosek 2013-10-08 06:35:39 UTC
I am closing the ticket, it is a known issue of RHEL-5.x and was documented as such.


Note You need to log in before you can comment on or make changes to this bug.