Bug 867767 - realmd AVC's on clean install
realmd AVC's on clean install
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
19
All Linux
medium Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
: 867765 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-18 05:18 EDT by Miroslav Vadkerti
Modified: 2013-04-19 01:57 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-19 01:57:05 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
SELinux is preventing /usr/lib64/realmd/realmd from remove_name access on the directory sssd.conf.VQJYLW. (2.98 KB, text/plain)
2012-10-18 09:03 EDT, Tomáš Bžatek
no flags Details
SELinux is preventing /usr/lib64/realmd/realmd from getattr access on the filesystem /. (2.33 KB, text/plain)
2012-10-18 09:04 EDT, Tomáš Bžatek
no flags Details
My complete realmd avc log (240.26 KB, text/x-log)
2012-10-18 12:14 EDT, Stef Walter
no flags Details
SELinux is preventing /usr/bin/python2.7 from getattr access on the file /usr/sbin/sssd. (2.38 KB, text/plain)
2012-10-19 08:09 EDT, Tomáš Bžatek
no flags Details
SELinux is preventing /usr/bin/systemctl from read access on the lnk_file root. (2.34 KB, text/plain)
2012-10-19 08:10 EDT, Tomáš Bžatek
no flags Details
SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/bash. (2.62 KB, text/plain)
2012-10-19 08:18 EDT, Tomáš Bžatek
no flags Details
SELinux is preventing /usr/sbin/sss_cache from getattr access on the file /run/sssd.pid. (2.37 KB, text/plain)
2012-10-19 08:25 EDT, Tomáš Bžatek
no flags Details
SELinux is preventing /usr/sbin/sss_cache from using the signal access on a process. (2.28 KB, text/plain)
2012-10-19 08:25 EDT, Tomáš Bžatek
no flags Details
SELinux is preventing /usr/lib64/realmd/realmd from using the signal access on a process. (2.29 KB, text/plain)
2012-10-19 08:26 EDT, Tomáš Bžatek
no flags Details

  None (edit)
Description Miroslav Vadkerti 2012-10-18 05:18:27 EDT
Description of problem:
# service rpcbind restart

in AVC this denial pops up:
time->Thu Oct 18 05:14:09 2012
type=SYSCALL msg=audit(1350551649.593:713): arch=c000003e syscall=2 success=no exit=-13 a0=7f63a11af6ea a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=12955 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpcbind" exe="/usr/sbin/rpcbind" subj=system_u:system_r:rpcbind_t:s0 key=(null)
type=AVC msg=audit(1350551649.593:713): avc:  denied  { read } for  pid=12955 comm="rpcbind" name="passwd" dev="vda3" ino=17886 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file

Version-Release number of selected component (if applicable):
rpcbind-0.2.0-18.fc18.x86_64
selinux-policy-3.11.1-36.fc18.noarch


How reproducible:
100%

Steps to Reproduce:
1. restart rpcbind
  
Actual results:
Denial

Expected results:
No Denial

Additional info:
Found during Active Directory test day
Comment 1 Stef Walter 2012-10-18 08:43:01 EDT
I'll be adding more realmd AVC's to this bug. It's probably easier for the selinux guys to get them all in one shot.
Comment 2 Tomáš Bžatek 2012-10-18 09:03:36 EDT
Created attachment 629361 [details]
SELinux is preventing /usr/lib64/realmd/realmd from remove_name access on the directory sssd.conf.VQJYLW.
Comment 3 Tomáš Bžatek 2012-10-18 09:04:09 EDT
Created attachment 629362 [details]
SELinux is preventing /usr/lib64/realmd/realmd from getattr access on the filesystem /.
Comment 4 Miroslav Grepl 2012-10-18 09:19:44 EDT
Most of these are fixed in the latest build.
Comment 5 Stef Walter 2012-10-18 12:14:50 EDT
Created attachment 629545 [details]
My complete realmd avc log

Miroslav I hope these are useful. A complete AVC log of realmd operations.

This is using a new livecd built from fedora-updates-testing today.
Comment 6 Miroslav Grepl 2012-10-19 03:06:15 EDT
*** Bug 867765 has been marked as a duplicate of this bug. ***
Comment 7 Miroslav Grepl 2012-10-19 05:07:18 EDT
I added a lot of fixes but some issues related to authconfig remain

1. /var/lib/authconfig/last

allow realmd_t var_lib_t:dir { write remove_name add_name };
allow realmd_t var_lib_t:file { rename setattr read create write getattr unlink open };

2. /etc/krb5.confd_*


allow realmd_t etc_t:dir { write remove_name add_name };
allow realmd_t etc_t:file { write rename create unlink };


ad 1)

We could label /var/lib/authconfig as var_auth_t

ad 2)

There is a problem we are not able to add file name transitions.


Dan, 
what do you think?
Comment 8 Tomáš Bžatek 2012-10-19 08:09:51 EDT
Created attachment 629997 [details]
SELinux is preventing /usr/bin/python2.7 from getattr access on the file /usr/sbin/sssd.

I've got two more denials, didn't check if it's been already reported.
Comment 9 Tomáš Bžatek 2012-10-19 08:10:31 EDT
Created attachment 629998 [details]
SELinux is preventing /usr/bin/systemctl from read access on the lnk_file root.

Both denials are with todays updates.
Comment 10 Tomáš Bžatek 2012-10-19 08:18:20 EDT
Created attachment 630000 [details]
SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/bash.

Related to realmd, though no idea how this happened. Getting a pwent from remote server?
Comment 11 Stef Walter 2012-10-19 08:21:58 EDT
(In reply to comment #10)
> Created attachment 630000 [details]
> SELinux is preventing /usr/bin/bash from execute access on the file
> /usr/bin/bash.
> 
> Related to realmd, though no idea how this happened. Getting a pwent from
> remote server?

realmd calls authconfig (to manage the PAM stack). authconfig runs many commands using system(), which uses the shell.
Comment 12 Tomáš Bžatek 2012-10-19 08:25:02 EDT
Created attachment 630001 [details]
SELinux is preventing /usr/sbin/sss_cache from getattr access on the file /run/sssd.pid.

Found when leaving domain (Enforcing mode)
Comment 13 Tomáš Bžatek 2012-10-19 08:25:31 EDT
Created attachment 630002 [details]
SELinux is preventing /usr/sbin/sss_cache from using the signal access on a process.

Found when leaving domain (Enforcing mode)
Comment 14 Tomáš Bžatek 2012-10-19 08:26:07 EDT
Created attachment 630003 [details]
SELinux is preventing /usr/lib64/realmd/realmd from using the signal access on a process.

Found when leaving domain (Enforcing mode)
Comment 15 Miroslav Grepl 2012-10-24 06:16:24 EDT
Stef,
related to

2. /etc/krb5.confd_*


allow realmd_t etc_t:dir { write remove_name add_name };
allow realmd_t etc_t:file { write rename create unlink };

is this created by authconfig by default?
Comment 16 Stef Walter 2012-10-24 07:24:25 EDT
(In reply to comment #15)
> Stef,
> related to
> 
> 2. /etc/krb5.confd_*
> 
> 
> allow realmd_t etc_t:dir { write remove_name add_name };
> allow realmd_t etc_t:file { write rename create unlink };
> 
> is this created by authconfig by default?

Yes. realmd does not write to /etc/krb5.conf directly.
Comment 17 Miroslav Grepl 2012-10-24 07:25:50 EDT
Yes, I was just curious about the path.
Comment 18 Stef Walter 2012-10-26 15:59:16 EDT
Hmmm, maybe /etc/krb5.confd_xxx is a backup dir that authconfig is making? Tomasz, do you know more details?
Comment 19 Daniel Walsh 2012-10-27 06:36:46 EDT
Stef, realmd executing autoconf is going to be difficult to write up in policy, and of course it is very privileged.

Why is it doing this. And maybe we could write a transition policy from realmd to autoconf, so that realmd only gets the privs when it executes autoconf.
Comment 20 Stef Walter 2012-10-28 03:54:25 EDT
(In reply to comment #19)
> Stef, realmd executing autoconf is going to be difficult to write up in
> policy, and of course it is very privileged.
> 
> Why is it doing this. 

authconfig 'owns' the PAM stack and nsswitch configuration file on Fedora and RHEL. In order to configure logins and usage of domain accounts on Fedora and RHEL we need to run authconfig.

You can see the various authconfig commands we run here:

http://cgit.freedesktop.org/realmd/realmd/tree/service/realmd-redhat.conf#n20
Comment 21 Tomas Mraz 2012-10-29 04:23:37 EDT
/etc/krb5.confd_xxx is not directly created by authconfig. I do not know if it is created by f.e. sssd due to being restarted by authconfig though.
Comment 22 Stef Walter 2012-10-29 04:25:44 EDT
Jakub, does sssd create files like /etc/krb5.confd_*?
Comment 23 Jakub Hrozek 2012-10-29 05:02:11 EDT
The SSSD doesn't create any files outside /var/lib/sss. The only Kerberos-related files that the SSSD creates are locate in /var/lib/sss/pubconf/.

I'm sorry, I don't know what the /etc/krb5.confd_xxx files are, what is their content?
Comment 24 Miroslav Grepl 2012-10-29 05:40:14 EDT
(In reply to comment #19)
> Stef, realmd executing autoconf is going to be difficult to write up in
> policy, and of course it is very privileged.
> 
> Why is it doing this. And maybe we could write a transition policy from
> realmd to autoconf, so that realmd only gets the privs when it executes
> autoconf.

Yes, I was thinking about a policy for autoconf.
Comment 25 Tomas Mraz 2012-10-29 05:52:35 EDT
Please don't mix autoconf and authconfig. :)

The policy for authconfig should be mostly unconfined as it writes to a crucial system configuration files and eventually restarts the daemons such as sssd, ypbind,....
Comment 26 Tomáš Bžatek 2012-10-29 08:47:23 EDT
(In reply to comment #18)
> Hmmm, maybe /etc/krb5.confd_xxx is a backup dir that authconfig is making?
> Tomasz, do you know more details?

There's no xxx file in /etc, only my rpm-saved default configuration in krb5.conf.bak:

# ls -al /etc/krb5.*
-rw-r--r--. 1 root root 433 Oct 16 09:30 /etc/krb5.conf
-rw-r--r--. 1 root root 432 Sep 10 19:23 /etc/krb5.conf.bak
-rw-------. 1 root root 972 Oct 25 09:58 /etc/krb5.keytab
Comment 27 Daniel Walsh 2012-10-30 15:48:20 EDT
I am sure Miroslav mean authconfig.
Comment 28 Daniel Walsh 2012-10-30 16:00:01 EDT
Added authconfig policy in F18, and allow realmd to transition to it.

Fixed in selinux-policy-3.11.1-47.fc18.noarch
Comment 29 Miroslav Grepl 2012-10-31 09:03:29 EDT
Stef,
could you test it with this build which is available from koji.
Comment 30 Fedora End Of Life 2013-04-03 16:33:10 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 31 Fedora Update System 2013-04-08 07:44:51 EDT
selinux-policy-3.12.1-28.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/FEDORA-2013-5045/selinux-policy-3.12.1-28.fc19
Comment 32 Fedora Update System 2013-04-08 11:57:54 EDT
Package selinux-policy-3.12.1-28.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-28.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-5045/selinux-policy-3.12.1-28.fc19
then log in and leave karma (feedback).
Comment 33 Fedora Update System 2013-04-19 01:57:07 EDT
selinux-policy-3.12.1-28.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.