Bug 873429 - SELinux errors when including domain-realm mapping directory
Summary: SELinux errors when including domain-realm mapping directory
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks: 881413 959218
TreeView+ depends on / blocked
 
Reported: 2012-11-05 20:36 UTC by Rob Crittenden
Modified: 2013-05-03 11:20 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
: 881413 (view as bug list)
Environment:
Last Closed: 2012-12-07 04:33:19 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Rob Crittenden 2012-11-05 20:36:16 UTC 
Description of problem:

I added:

includedir /var/lib/sss/pubconf/krb5.include.d/

To the krb5.conf template in IPA and installed a server in permissive mode.

It generated a slew of AVCs because a number of process were not able to read the contents of the include directory.

# ausearch -m AVC -ts 14:27 | grep krb 
type=SYSCALL msg=audit(1352143784.563:2184): arch=c000003e syscall=257 success=yes exit=4 a0=ffffffffffffff9c a1=7f485970dc0b a2=90800 a3=0 items=0 ppid=1 pid=5307 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5kdc" exe="/usr/sbin/krb5kdc" subj=system_u:system_r:krb5kdc_t:s0 key=(null)
type=AVC msg=audit(1352143784.563:2184): avc:  denied  { open } for  pid=5307 comm="krb5kdc" path="/var/lib/sss/pubconf/krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1352143784.563:2184): avc:  denied  { read } for  pid=5307 comm="krb5kdc" name="krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1352143784.563:2184): avc:  denied  { search } for  pid=5307 comm="krb5kdc" name="pubconf" dev="sda3" ino=129 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1352143784.781:2186): avc:  denied  { open } for  pid=5320 comm="kadmind" path="/var/lib/sss/pubconf/krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1352143784.781:2186): avc:  denied  { read } for  pid=5320 comm="kadmind" name="krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1352143816.001:2192): avc:  denied  { read } for  pid=5428 comm="httpd" name="krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1352143851.870:2200): avc:  denied  { read } for  pid=5489 comm="ns-slapd" name="krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=SYSCALL msg=audit(1352143852.271:2201): arch=c000003e syscall=233 success=yes exit=0 a0=5 a1=2 a2=6 a3=7fff416fea80 items=0 ppid=1 pid=5308 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5kdc" exe="/usr/sbin/krb5kdc" subj=system_u:system_r:krb5kdc_t:s0 key=(null)
type=AVC msg=audit(1352143852.271:2201): avc:  denied  { block_suspend } for  pid=5308 comm="krb5kdc" capability=36  scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:system_r:krb5kdc_t:s0 tclass=capability2
type=SYSCALL msg=audit(1352143852.294:2204): arch=c000003e syscall=257 success=yes exit=4 a0=ffffffffffffff9c a1=7ff22c96cc0b a2=90800 a3=0 items=0 ppid=1 pid=5573 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5kdc" exe="/usr/sbin/krb5kdc" subj=system_u:system_r:krb5kdc_t:s0 key=(null)
type=AVC msg=audit(1352143852.294:2204): avc:  denied  { open } for  pid=5573 comm="krb5kdc" path="/var/lib/sss/pubconf/krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1352143852.294:2204): avc:  denied  { read } for  pid=5573 comm="krb5kdc" name="krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1352143852.294:2204): avc:  denied  { search } for  pid=5573 comm="krb5kdc" name="pubconf" dev="sda3" ino=129 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1352143855.199:2210): avc:  denied  { read } for  pid=5516 comm="ns-slapd" name="krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1352143854.002:2208): avc:  denied  { read } for  pid=5583 comm="httpd" name="krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=SYSCALL msg=audit(1352143863.255:2218): arch=c000003e syscall=233 success=yes exit=0 a0=5 a1=2 a2=6 a3=7fff40924bf0 items=0 ppid=1 pid=5574 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5kdc" exe="/usr/sbin/krb5kdc" subj=system_u:system_r:krb5kdc_t:s0 key=(null)
type=AVC msg=audit(1352143863.255:2218): avc:  denied  { block_suspend } for  pid=5574 comm="krb5kdc" capability=36  scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:system_r:krb5kdc_t:s0 tclass=capability2
type=SYSCALL msg=audit(1352143866.074:2229): arch=c000003e syscall=257 success=yes exit=4 a0=ffffffffffffff9c a1=7f38ce963c0b a2=90800 a3=0 items=0 ppid=1 pid=5821 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5kdc" exe="/usr/sbin/krb5kdc" subj=system_u:system_r:krb5kdc_t:s0 key=(null)
type=AVC msg=audit(1352143866.074:2229): avc:  denied  { open } for  pid=5821 comm="krb5kdc" path="/var/lib/sss/pubconf/krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1352143866.074:2229): avc:  denied  { read } for  pid=5821 comm="krb5kdc" name="krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1352143866.074:2229): avc:  denied  { search } for  pid=5821 comm="krb5kdc" name="pubconf" dev="sda3" ino=129 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir

Version-Release number of selected component (if applicable):

sssd-1.9.2-3.fc18.x86_64
selinux-policy-3.11.1-46.fc18.noarch
Comment 1 Jakub Hrozek 2012-11-28 14:27:26 UTC 
I don't think this should be handled in the SSSD, but rather in the selinux policy.

Mirek, the directory /var/lib/sss/pubconf/krb5.include.d/ is where the SSSD stores files that are in turn included from the system wide /etc/krb5.conf.

The directory should only be writable by the sssd_be process and readable by everyone who is permitted to read krb5.conf. It looks like the current context sssd_public_t is not sufficient.

Do we have any other we can use?
Comment 2 Daniel Walsh 2012-11-28 15:53:30 UTC 
Fixed in selinux-policy-3.11.1-57.fc18.noarch

We just need to allow domains that can read sssd_public_t to also list the directory.
Comment 3 Fedora Update System 2012-11-28 20:59:31 UTC 
selinux-policy-3.11.1-57.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-57.fc18
Comment 5 Fedora Update System 2012-11-30 06:38:08 UTC 
Package selinux-policy-3.11.1-57.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-57.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-57.fc18
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2012-12-02 19:32:08 UTC 
Package selinux-policy-3.11.1-59.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-59.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-59.fc18
then log in and leave karma (feedback).
Comment 7 Rob Crittenden 2012-12-03 21:47:56 UTC 
Still seeing these in permissive mode:

type=AVC msg=audit(1354571118.064:2218): avc:  denied  { search } for  pid=21956 comm="krb5kdc" name="pubconf" dev="sda3" ino=129 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1354571118.064:2218): avc:  denied  { read } for  pid=21956 comm="krb5kdc" name="krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1354571118.064:2218): avc:  denied  { open } for  pid=21956 comm="krb5kdc" path="/var/lib/sss/pubconf/krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1354571118.421:2220): avc:  denied  { search } for  pid=21969 comm="kadmind" name="pubconf" dev="sda3" ino=129 scontext=system_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1354571118.421:2220): avc:  denied  { read } for  pid=21969 comm="kadmind" name="krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1354571118.421:2220): avc:  denied  { open } for  pid=21969 comm="kadmind" path="/var/lib/sss/pubconf/krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1354571193.382:2232): avc:  denied  { search } for  pid=22231 comm="krb5kdc" name="pubconf" dev="sda3" ino=129 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1354571193.382:2232): avc:  denied  { read } for  pid=22231 comm="krb5kdc" name="krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1354571193.382:2232): avc:  denied  { open } for  pid=22231 comm="krb5kdc" path="/var/lib/sss/pubconf/krb5.include.d" dev="sda3" ino=130 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
Comment 8 Miroslav Grepl 2012-12-04 13:01:38 UTC 
Added.

commit 8f0e9d1b5a3655573c1a0e09502965230bc76b20
Author: Miroslav Grepl <mgrepl>
Date:   Tue Dec 4 13:59:37 2012 +0100

    Allow kadmind and krb5kdc to also list sssd_public_t
Comment 9 Fedora Update System 2012-12-06 20:14:55 UTC 
Package selinux-policy-3.11.1-60.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-60.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-60.fc18
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2012-12-07 04:33:22 UTC 
selinux-policy-3.11.1-60.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.