911199 – SELinux policy prevents realm binary (PackageKit) to install missing packages when joining a realm

Bug 911199 - SELinux policy prevents realm binary (PackageKit) to install missing packages when joining a realm

Summary: SELinux policy prevents realm binary (PackageKit) to install missing packages...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	18
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-02-14 15:02 UTC by Eduard Benes
Modified:	2013-02-18 06:59 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2013-02-18 06:59:06 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Eduard Benes 2013-02-14 15:02:38 UTC

Description of problem:
SELinux prevents /sbin/realm (...PackageKit) from installation of additional packages required for joining an AD domain, when they are not present on the system while it is preparing to enroll a machine into given domain.

Version-Release number of selected component (if applicable):
# rpm -q realmd selinux-policy adcli
realmd-0.12-1.fc18.x86_64
selinux-policy-3.11.1-76.

How reproducible:
always (before the missing pakcages are installed)
so make sure to remove them each time while testing your fix

Steps to Reproduce:
1. Setup M$ AD as described here: http://stef.thewalter.net/2012/08/how-to-create-active-directory-domain.html

2. Try to discover the domain: 
# realm discover security.baseos.qe
...
  required-package: sssd-tools
  required-package: sssd
  required-package: adcli
  required-package: samba-common
...

3. Try to join the configured domain: 
# realm join -v security.baseos.qe
 * Searching for kerberos SRV records for domain: _kerberos._udp.security.baseos.qe
 * Searching for MSDCS SRV records on domain: _kerberos._tcp.dc._msdcs.security.baseos.qe
 * dc.security.baseos.qe:88 
 * Found kerberos DNS records for: security.baseos.qe
 * Found AD style DNS records for: security.baseos.qe
 * Successfully discovered: security.baseos.qe
 * Couldn't find file: /usr/sbin/sss_cache
 * Assuming packages installed
 ! Failed to enroll machine in realm: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.121" (uid=0 pid=12103 comm="/usr/lib64/realmd/realmd ") interface="org.freedesktop.PackageKit" member="CreateTransaction" error name="(unset)" requested_reply="0" destination=":1.304" (uid=0 pid=19277 comm="/usr/libexec/packagekitd ")
realm: Couldn't join realm: Failed to enroll machine in realm. See diagnostics.

[root@godot ~]# ausearch -m user_avc -ts recent
----
time->Wed Feb 13 17:36:06 2013
type=USER_AVC msg=audit(1360773366.578:684): pid=755 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.304 spid=12103 tpid=19277 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Wed Feb 13 17:36:06 2013
type=USER_AVC msg=audit(1360773366.579:685): pid=755 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.304 spid=12103 tpid=19277 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Wed Feb 13 17:36:06 2013
type=USER_AVC msg=audit(1360773366.579:686): pid=755 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.PackageKit member=CreateTransaction dest=:1.304 spid=12103 tpid=19277 scontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
  
Actual results:
realm fails to enroll machine

Expected results:
successful enrolment

Additional info:
Creation of a policy module similar to the one below allowed installation of the missing packages, though some more policy tuning might help even more ;-)

module realmd-dbus 1.0;

require {
	type realmd_t;
	type rpm_t;
	class dbus send_msg;
}

#============= realmd_t ==============
allow realmd_t rpm_t:dbus send_msg;

Comment 1 Miroslav Grepl 2013-02-15 09:25:35 UTC

commit f83daacb45886645765434c69fcbd4f28e620006
Author: Miroslav Grepl <mgrepl>
Date:   Fri Feb 15 10:24:11 2013 +0100

    Allow realmd to dbus chat with rpm

Comment 2 Fedora Update System 2013-02-15 22:44:32 UTC

selinux-policy-3.11.1-78.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-78.fc18

Comment 3 Fedora Update System 2013-02-17 03:24:42 UTC

Package selinux-policy-3.11.1-78.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-78.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-2588/selinux-policy-3.11.1-78.fc18
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2013-02-18 06:59:07 UTC

selinux-policy-3.11.1-78.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.