Bug 947933 - AVCs Using Kerberized QPid
Summary: AVCs Using Kerberized QPid
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Depends On: 922167
TreeView+ depends on / blocked
Reported: 2013-04-03 14:57 UTC by Adam Young
Modified: 2013-04-18 02:51 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 922167
Last Closed: 2013-04-18 02:51:22 UTC

Attachments (Terms of Use)

Description Adam Young 2013-04-03 14:57:34 UTC
+++ This bug was initially created as a clone of Bug #922167 +++

Description of problem:
Using Kerberos/GSSAPI/SASL to secure Qpid triggers SELinux AVC

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  install freeipa-server
2.  install two machines as freeipa-ipa clients.  I called them portal and queue.  

The following steps are done on queue
3.  install qpidd
4.  edit /usr/lib/systemd/system/qpidd.service  and under [Service] add
Environment="KRB5CCNAME=FILE:/run/user/997/krb5cc" "KRB5_KTNAME=/var/kerberos/krb5/user/997/client.keytab"
5.  edit /etc/sasl2/qpidd.conf and make sure the only mech listed is GSSAPI:
  mech_list: GSSAPI
6. edit /etc/qpidd.conf and make sure GSSAPI is enabled:
    realm=YOURREALM  #this should match the FreeIPA install
7.   Set SELinux to permissive
    setenforce permissive
8.  fetch a keytab from the ipa server and save it in /var/kerberos/krb5/user/997/client.keytab
 ipa-getkeytab -s  ${IPAHOSTNAME} -p qpidd/$(HOSTNAME)@${REALM} -k client.keytab
9.  restart qpidd
    systemctl service qpidd restart

On portal install

 yum install python-saslwrapper python-amqplib
And run the following python program

import unittest

from qpid.messaging import Connection
from qpid.messaging.exceptions import AuthenticationFailure

class IntegrationRelatedTechResearch(unittest.TestCase):

    def setUp(self):
        self._qpid_host = 'q.openstack.freeipa.org'
        self._qpid_port = 5672

    def testConnectQPIDAsRegularUserUsingGSSAPI(self):
        conn = Connection(
            host = self._qpid_host,
            port = self._qpid_port,
            sasl_mechanisms = 'GSSAPI ')

if __name__ == '__main__':

Actual results:

Running audit2allow one queue shows

#============= qpidd_t ==============
allow qpidd_t file_context_t:dir search;
allow qpidd_t file_context_t:file { read getattr open };
allow qpidd_t krb5_conf_t:file { read getattr open };
allow qpidd_t self:process setfscreate;
allow qpidd_t sssd_public_t:dir { read search open };
allow qpidd_t tmp_t:dir { write add_name };
allow qpidd_t tmp_t:file { write create open };
allow qpidd_t var_t:file { read lock open };

WHile the last line ( var_t:file ) is probably from the keytab

Comment 1 Miroslav Grepl 2013-04-04 11:02:02 UTC
commit 42335fe752eb498aca43881d4d42de042b664ad0
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Apr 4 13:01:28 2013 +0200

    Allow qpidd to use kerberos

Comment 2 Fedora Update System 2013-04-15 11:11:23 UTC
selinux-policy-3.11.1-90.fc18 has been submitted as an update for Fedora 18.

Comment 3 Fedora Update System 2013-04-16 00:06:51 UTC
Package selinux-policy-3.11.1-90.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-90.fc18'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2013-04-18 02:51:23 UTC
selinux-policy-3.11.1-90.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.