Bug 947439 - freeipa-server upgrade issues with pki-ca
Summary: freeipa-server upgrade issues with pki-ca
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-04-02 12:32 UTC by Martin Kosek
Modified: 2013-04-18 02:51 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-18 02:51:12 UTC


Attachments (Terms of Use)

Description Martin Kosek 2013-04-02 12:32:14 UTC
Description of problem:

FreeIPA server installed in Fedora 17 and upgraded to Fedora 18 reported upgrade issues. The problem was in certmonger who as not allowed to start tracking pki-ca certs due to following AVCs:

type=AVC msg=audit(1364732496.007:5713): avc:  denied  { search } for  pid=19923 comm="certmonger"      name="pki-ca" dev="md1" ino=14287216 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:      object_r:pki_tomcat_var_lib_t:s0 tclass=dir

Version-Release number of selected component (if applicable):
selinux-policy-3.11.1-86.fc18.noarch

How reproducible:

Steps to Reproduce:
1. Install FreeIPA server with Fedora 17
2. Upgrade to  Fedora 18 (including FreeIPA)
3.
  
Actual results:
FreeIPA upgrade process reports failures in certmonger tracking pki-ca certificates (required in 3.1 certificate renew feature)

Expected results:
No cert tracking upgrade issues.

Additional info:

Comment 1 Anthony Messina 2013-04-02 12:36:21 UTC
Here are the actual AVCs from my audit log, one for each attempt of getcert:

certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n auditSigningCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" -P XXXXXXXX' returned non-zero exit status 1
certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n ocspSigningCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" -P XXXXXXXX' returned non-zero exit status 1
certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n subsystemCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" -P XXXXXXXX' returned non-zero exit status 1
certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n Server-Cert cert-pki-ca -c dogtag-ipa-renew-agent -P XXXXXXXX' returned non-zero exit status 1



type=SYSCALL msg=audit(1364732495.999:5706): arch=c000003e syscall=2 success=no exit=-13 a0=103f820 a1=242 a2=180 a3=1f items=0 ppid=19902 pid=19918 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="certmonger" exe="/usr/sbin/certmonger" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1364732496.004:5707): avc:  denied  { search } for  pid=19920 comm="certmonger" name="pki-ca" dev="md1" ino=14287216 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1364732496.004:5707): arch=c000003e syscall=4 success=no exit=-13 a0=103fb20 a1=7fffee7a0550 a2=7fffee7a0550 a3=1f items=0 ppid=19902 pid=19920 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="certmonger" exe="/usr/sbin/certmonger" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1364732496.004:5708): avc:  denied  { search } for  pid=19920 comm="certmonger" name="pki-ca" dev="md1" ino=14287216 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1364732496.004:5708): arch=c000003e syscall=2 success=no exit=-13 a0=103fb20 a1=0 a2=180 a3=1f items=0 ppid=19902 pid=19920 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="certmonger" exe="/usr/sbin/certmonger" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1364732496.004:5709): avc:  denied  { search } for  pid=19920 comm="certmonger" name="pki-ca" dev="md1" ino=14287216 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1364732496.004:5709): arch=c000003e syscall=4 success=no exit=-13 a0=103fea0 a1=7fffee7a0580 a2=7fffee7a0580 a3=1f items=0 ppid=19902 pid=19920 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="certmonger" exe="/usr/sbin/certmonger" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1364732496.004:5710): avc:  denied  { search } for  pid=19920 comm="certmonger" name="pki-ca" dev="md1" ino=14287216 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir

Comment 2 Anthony Messina 2013-04-02 12:37:17 UTC
And the following custom policy 'fixes' the issue.

module fixcertmongerpkica 1.0;

require {
        type certmonger_t;
        type pki_tomcat_var_lib_t;
        class dir search;
}

#============= certmonger_t ==============
allow certmonger_t pki_tomcat_var_lib_t:dir search;

Comment 3 Miroslav Grepl 2013-04-03 08:11:53 UTC
Martin,
could you re-test it in permissive mode to see if we get more AVCs. Thank you.

Comment 4 Martin Kosek 2013-04-03 13:29:54 UTC
This is what I see when I upgrade Fedora 17 with IPA installed to Fedora 18:

# getenforce 
Permissive
# grep AVC /var/log/audit/audit.log 
# yum distro-sync --releasever=18
...
Complete!

# grep AVC /var/log/audit/audit.log 
type=AVC msg=audit(1364990307.573:116): avc:  denied  { read } for  pid=438 comm="dbus-daemon" name="passwd" dev="dm-0" ino=410092 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1364990307.573:116): avc:  denied  { open } for  pid=438 comm="dbus-daemon" path="/etc/passwd" dev="dm-0" ino=410092 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1364990307.573:117): avc:  denied  { getattr } for  pid=438 comm="dbus-daemon" path="/etc/passwd" dev="dm-0" ino=410092 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1364990320.938:122): avc:  denied  { read } for  pid=438 comm="dbus-daemon" name="passwd" dev="dm-0" ino=410092 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1364990320.938:122): avc:  denied  { open } for  pid=438 comm="dbus-daemon" path="/etc/passwd" dev="dm-0" ino=410092 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1364990320.940:123): avc:  denied  { getattr } for  pid=438 comm="dbus-daemon" path="/etc/passwd" dev="dm-0" ino=410092 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:shadow_t:s0 tclass=file
type=USER_AVC msg=audit(1364990422.481:135): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1364990520.748:161): avc:  denied  { unlink } for  pid=1093 comm="java" name="1085" dev="dm-0" ino=15753 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file


From that list, only this one looks relevant to IPA:

type=AVC msg=audit(1364990520.748:161): avc:  denied  { unlink } for  pid=1093 comm="java" name="1085" dev="dm-0" ino=15753 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

When I then update to freeipa-server-3.1.3, I see the reported AVC:

# yum update freeipa-server --enablerepo=updates-testing
...
# grep AVC /var/log/audit/audit.log 
...
type=AVC msg=audit(1364994343.817:33): avc:  denied  { search } for  pid=779 comm="certmonger" name="pki-ca" dev="dm-0" ino=17861 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir

Comment 5 Anthony Messina 2013-04-03 13:53:12 UTC
That makes sense to me.  When I do a distro-sync, it's always in permissive mode, as there is no real way to recover from SELinux issues during the upgrade.  Then after a 'touch /.autorelabel' and cleaning up other *.conf files, etc, I reboot.

It wasn't until the further upgrade of freeipa-server that I got the certmonger SELinux denials issues.

Your example basically replicated my situation with certmonger.

Comment 7 Martin Kosek 2013-04-11 10:43:41 UTC
Hello, was there any update to this Bugzilla? Do you need more information?

Thanks,
Martin

Comment 8 Miroslav Grepl 2013-04-11 10:54:28 UTC
Fixed in selinux-policy-3.11.1-90.fc18

Comment 9 Fedora Update System 2013-04-15 11:11:16 UTC
selinux-policy-3.11.1-90.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-90.fc18

Comment 10 Fedora Update System 2013-04-16 00:06:42 UTC
Package selinux-policy-3.11.1-90.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-90.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-5742/selinux-policy-3.11.1-90.fc18
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2013-04-18 02:51:13 UTC
selinux-policy-3.11.1-90.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.