Description of problem: New pki-ca of version 10 which has its SELinux policy integrated in the system policy, can no longer connect to port 7389, which FreeIPA of version pre 3.1 use to run a Directory Server instance holding pki-ca data. Allowing pki-ca to use that port is essential to be able to create a replicas. Respective AVC (and one other which seems benign but would be good to fix too): type=AVC msg=audit(1353656413.960:678): avc: denied { getattr } for pid=13177 comm="java" path="/var/lib/tomcat" dev="dm-0" ino=14111 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:tomcat_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1353656413.960:678): arch=c000003e syscall=6 success=no exit=-13 a0=7fa7618a77a0 a1=7fa7618a6660 a2=7fa7618a6660 a3=61636d6f742f6572 items=0 ppid=1 pid=13177 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1353656413.960:679): avc: denied { search } for pid=13177 comm="java" name="tomcat" dev="dm-0" ino=14111 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:tomcat_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1353656413.960:679): arch=c000003e syscall=4 success=no exit=-13 a0=7fa758b1fc20 a1=7fa7618a8730 a2=7fa7618a8730 a3=61636d6f742f6572 items=0 ppid=1 pid=13177 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) <<<<<<<<<<<<<<< THE blocking AVC type=AVC msg=audit(1353656421.148:680): avc: denied { name_connect } for pid=13260 comm="java" dest=7389 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket >>>>>>>>>>>>>>> type=SYSCALL msg=audit(1353656421.148:680): arch=c000003e syscall=42 success=no exit=-13 a0=59 a1=7fa7604772a0 a2=1c a3=252 items=0 ppid=1 pid=13260 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1353656421.149:681): avc: denied { name_connect } for pid=13260 comm="java" dest=7389 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1353656421.149:681): arch=c000003e syscall=42 success=no exit=-13 a0=59 a1=7fa7604770e0 a2=1c a3=252 items=0 ppid=1 pid=13260 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) Version-Release number of selected component (if applicable): selinux-policy-3.11.1-50.fc18.noarch selinux-policy-targeted-3.11.1-50.fc18.noarch pki-ca-10.0.0-0.52.b3.fc18.noarch pki-tools-10.0.0-0.52.b3.fc18.x86_64 pki-server-10.0.0-0.52.b3.fc18.noarch pki-base-10.0.0-0.52.b3.fc18.noarch How reproducible: Steps to Reproduce: 1. Install FreeIPA server on one Fedora 17 VM 2. Try to install FreeIPA replica in Fedora 18 VM, use --setup-ca to set up pki-ca for that replica 3. Actual results: Installation of replica always crashes due to SELinux AVC. Expected results: No SELinux AVC -> installation succeeds. Additional info:
Martin, could you switch to permisive and see if you get more AVC msgs? Thank you.
Created attachment 650338 [details] SELinux audit log Attaching an audit.log which was truncated before FreeIPA+pki-ca replica configuration. It should contain all the needed AVCs.
Fixed in selinux-policy-3.11.1-56.fc18 commit 24227a786622e88515b7b56bc8e7f0959e0569a9 Author: Miroslav Grepl <mgrepl> Date: Mon Nov 26 08:47:11 2012 +0100 Add support for 7389/tcp port * pki_ca port commit 267068aa1ef0ab7735864332136a78c03d1ac4de Author: Miroslav Grepl <mgrepl> Date: Mon Nov 26 08:48:32 2012 +0100 Allow pki_tomcat_t to connect to pki_ca ports
selinux-policy-3.11.1-57.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-57.fc18
Package selinux-policy-3.11.1-57.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-57.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-57.fc18 then log in and leave karma (feedback).
Package selinux-policy-3.11.1-59.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-59.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-59.fc18 then log in and leave karma (feedback).
Package selinux-policy-3.11.1-60.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-60.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-60.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-60.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
This fix is incorrect. Port 7389 should not be labelled as pki_ca_port_t. Port 7389 is used by the 389 Directory Server instance that Dogtag was using. This port should be labelled as ldap_port_t, but the labelling should be handled when the 389 Directory Server instance is created (the setup-ds.pl script calls semanage to do this). We are seeing AVC messages now with selinux-policy-3.11.1-60.fc18 due to ns-slapd not being allowed to name_connect to pki_ca_port_t. The problem initially reported in this bug is that 7389 was labelled as unreserved_port_t, when it should have been ldap_port_t. I do not know how it got in that state. The fix made in this bug needs to be backed out. Port 7389 should not be labelled in the default policy.
I'll also add that pki_tomcat_t should be able to connect to ldap_port_t (we should verify this in the policy).
(In reply to comment #9) > This fix is incorrect. Port 7389 should not be labelled as pki_ca_port_t. > Port 7389 is used by the 389 Directory Server instance that Dogtag was > using. This port should be labelled as ldap_port_t, but the labelling > should be handled when the 389 Directory Server instance is created (the > setup-ds.pl script calls semanage to do this). > > We are seeing AVC messages now with selinux-policy-3.11.1-60.fc18 due to > ns-slapd not being allowed to name_connect to pki_ca_port_t. The problem > initially reported in this bug is that 7389 was labelled as > unreserved_port_t, when it should have been ldap_port_t. I do not know how > it got in that state. > > The fix made in this bug needs to be backed out. Port 7389 should not be > labelled in the default policy. OK, but the problem is I will need to allow to connect to all unreserved port. I would change it to ldap_port_t as you suggested.
Fixed in selinux-policy-3.11.1-61.fc18 commit 78c58c80da78589474a94e7020f83cb0c28cbbd7 Author: Miroslav Grepl <mgrepl> Date: Mon Dec 10 09:23:15 2012 +0100 Add support for 7389/tcp port * ldap_port_t commit 5c41f974701c30cfa761842d7ef87e0851d0ccdb Author: Miroslav Grepl <mgrepl> Date: Mon Dec 10 09:22:19 2012 +0100 Allow pki_tomcat to connect to ldap port
selinux-policy-3.11.1-62.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-62.fc18
Package selinux-policy-3.11.1-62.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-62.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-20203/selinux-policy-3.11.1-62.fc18 then log in and leave karma (feedback).
The IPA server has been rebuilt: [root@server ~]# yum list installed freeipa* Loaded plugins: langpacks, presto, refresh-packagekit Installed Packages freeipa-admintools.x86_64 3.1.0-1.fc18 @updates-testing freeipa-client.x86_64 3.1.0-1.fc18 @updates-testing freeipa-python.x86_64 3.1.0-1.fc18 @updates-testing freeipa-server.x86_64 3.1.0-1.fc18 @updates-testing freeipa-server-selinux.x86_64 3.1.0-1.fc18 @updates-testing [root@server ~]# yum list installed selinux* Loaded plugins: langpacks, presto, refresh-packagekit Installed Packages selinux-policy.noarch 3.11.1-62.fc18 @updates-testing selinux-policy-devel.noarch 3.11.1-62.fc18 @updates-testing selinux-policy-targeted.noarch 3.11.1-62.fc18 @updates-testing [root@server ~]# I can login through IPA and there are no SELinux alerts: [root@server ~]# ausearch -m AVC <no matches> [root@server ~]# Thank you for your help.
selinux-policy-3.11.1-66.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-66.fc18
selinux-policy-3.11.1-66.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.