FreeIPA grew a new daemon in Fedora 19 and needs SELinux policy generated for it. It is systemd socket activated and listens on /var/kerberos/krb5kdc/DEFAULT.socket. It also needs permissions to connect to the local FreeIPA server (/var/run/slapd-*.socket) and all local and remote RADIUS ports (typically udp 1812). Other than that it can be completely locked down.
So it should a part of selinux-policy packages?
We are evaluating handing over all the FreeIPA/IdM policies back to the base selinux-policy packages, so we can start with ipa-otpd maybe ?
Ok, I will create an initial policy for testing.
Hi guys, any change or update on this front?
I am creating a test policy.
Created attachment 759598 [details] ipta-otpd initial policy Could you please download/unpack the archive and run # sh ipa.sh re-test and # ausearch -m avc -ts recent
Nathaniel, any luck with the policy?
No, the policy does not work. 1. systemd creates /var/kerberos/krb5kdc/DEFAULT.socket. It is currently receiving the context krb5kdc_conf_t. 2. krb5kdc is running as context krb5kdc_t and needs to open (read/write) /var/kerberos/krb5kdc/DEFAULT.socket (and potentially all other sockets in this directory). 3. Once krb5kdc connects to /var/kerberos/krb5kdc/DEFAULT.socket, systemd starts ipa-otpd. ipa-otpd currently receives init_t. 4. ipa-otpd must be able to open /var/run/slapd-*.socket (currently dirsrv_var_run_t). 5. ipa-otpd must be able to open a RADIUS socket (usually udp 1812). The following audit2allow makes everything work, but I suspect further constraint separation is desired: allow krb5kdc_t init_t:unix_stream_socket connectto; allow krb5kdc_t krb5kdc_conf_t:sock_file write;
Hello Mirek, any other way we can help beyond Comment 8 to add support for ipa-otpd to the system policy?
Ok, and how does the following output look # ps -eZ |grep ipa if you test it. I am planning to add the policy to new freeipa.pp policy module.
FreeIPA does not have any running "ipa" process, it is rather composed from a set of integrated processes. This is what I get with selinux-policy-3.12.1-65.fc19.noarch: # ps -eZ | egrep "(httpd|krb5kdc|otp|slap|ipa_memcache|tomcat|named|kadmin)" system_u:system_r:dirsrv_t:s0 1328 ? 00:02:17 ns-slapd system_u:system_r:pki_tomcat_t:s0 13117 ? 00:05:38 java system_u:system_r:kadmind_t:s0 13228 ? 00:00:00 kadmind system_u:system_r:named_t:s0 13500 ? 00:00:11 named system_u:system_r:httpd_t:s0 13523 ? 00:00:23 httpd system_u:system_r:httpd_t:s0 13524 ? 00:00:00 nss_pcache system_u:system_r:httpd_t:s0 29556 ? 00:00:13 httpd system_u:system_r:httpd_t:s0 29557 ? 00:00:12 httpd system_u:system_r:httpd_t:s0 29558 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 29559 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 29560 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 29561 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 29562 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 32468 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 32508 ? 00:00:00 httpd system_u:system_r:krb5kdc_t:s0 32617 ? 00:00:00 krb5kdc
I wanted to see ipa-otpd if possible. I know it is a socket activated but we need to be sure it runs as ipa_otpd_t instead of init_t.
Ok. I will leave that Nathaniel, he is more fluent with ipa-otpd than I am.
Miroslav, do you want me to run that with or without the non-working policy provided in this bug?
Just wanted to see the policy really works and we have the right labeling for the service.
# ps -eZ | grep ipa system_u:system_r:ipa_otpd_t:s0 2054 ? 00:00:00 ipa-otpd
*** This bug has been marked as a duplicate of bug 970169 ***
These are not duplicates. #970163 requests a new policy to constrain ipa-otpd. #970169 requests a change to the existing krb5kdc policy.
Added to rawhide. commit 49188774ae96b7b4744e5c1e44a35d576fb02480 Author: Miroslav Grepl <mgrepl> Date: Mon Dec 9 15:59:14 2013 +0100 Add policy for ipa_otpd_t as a part of ipa.pp
/var/kerberos/krb5kdc/DEFAULT.socket has it been moved to /run?
No. Upstream does not wish to move it.
Any reason why not?
Because it is Linux specific. And then only modern Linux. And then not even all modern Linuxes. Due to the requirement of support for other UNIXes, MIT rejects most all OS specific patches. I discussed this with them via phone and they were strongly disinclined to accept such a patch.
Is there a configuration that we can change on our own? Or could we send a patch to them to add a configuration?
The path to the RADIUS server's local socket (and if it's even a local socket) is indeed configurable in krb5.conf. If the location isn't explicitly configured, the location is computed using the format string "/var/kerberos/krb5kdc/%s.socket" and the label that's being used to represent the server ("DEFAULT" by default), and that's where ipa-otpd's configuration defaults to telling systemd to put the socket. The directory part of that's derived from the localstatedir that's set at configure-time when the package is being built, though, so I'd suggest that the policy handle the label for the socket like it does for KDC configuration, realm databases, and locks -- as though they could show up in multiple locations.
+1, the sockets could show up in multiple locations. However, all the stuff related to krb5kdc policy needs to go in bug 970169. I will confirm that the ipa-otpd policy is working and then this bug can be closed.
ipa-otpd is currently running under system_u:system_r:ipa_otpd_t:s0 in rawhide. I'm able to connect to pretty much anywhere from the daemon with ldap/RADIUS. Miroslav, is ipa_otpd_t otherwise constrained? If yes, then I think we are done with this bug. Where is the commit diff for this change?
If it works in rawhide then we can back port it to F20/RHEL7.
commit a66cf1bff68035c7a9b11fe3801c00c0cafce6bc Author: Miroslav Grepl <mgrepl> Date: Tue Jan 7 17:56:36 2014 +0100 backport ipa policy files
selinux-policy-3.12.1-116.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-116.fc20
Package selinux-policy-3.12.1-116.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-116.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-0806/selinux-policy-3.12.1-116.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-116.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
So it appears that the new ipa-otpd policy has also caused new problems. Namely: /dev/urandom and /etc/resolv.conf. type=AVC msg=audit(1391716026.982:421): avc: denied { read } for pid=2336 comm="ipa-otpd" name="urandom" dev="devtmpfs" ino=5023 scontext=system_u:system_r:ipa_otpd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file type=AVC msg=audit(1391716026.982:421): avc: denied { open } for pid=2336 comm="ipa-otpd" path="/dev/urandom" dev="devtmpfs" ino=5023 scontext=system_u:system_r:ipa_otpd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1391716026.982:421): arch=c000003e syscall=2 success=yes exit=3 a0=7f71d5e9d744 a1=0 a2=40 a3=7fff141c5c10 items=0 ppid=1 pid=2336 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-otpd" exe="/usr/libexec/ipa-otpd" subj=system_u:system_r:ipa_otpd_t:s0 key=(null) type=AVC msg=audit(1391716026.983:422): avc: denied { getattr } for pid=2336 comm="ipa-otpd" path="/dev/urandom" dev="devtmpfs" ino=5023 scontext=system_u:system_r:ipa_otpd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1391716026.983:422): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff141c5e50 a2=7fff141c5e50 a3=7fff141c5c10 items=0 ppid=1 pid=2336 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-otpd" exe="/usr/libexec/ipa-otpd" subj=system_u:system_r:ipa_otpd_t:s0 key=(null) type=AVC msg=audit(1391716026.984:423): avc: denied { read } for pid=2336 comm="ipa-otpd" name="resolv.conf" dev="vda1" ino=132344 scontext=system_u:system_r:ipa_otpd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=AVC msg=audit(1391716026.984:423): avc: denied { open } for pid=2336 comm="ipa-otpd" path="/etc/resolv.conf" dev="vda1" ino=132344 scontext=system_u:system_r:ipa_otpd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=SYSCALL msg=audit(1391716026.984:423): arch=c000003e syscall=2 success=yes exit=6 a0=7f71d7a9f41a a1=80000 a2=1b6 a3=7fff141c5b00 items=0 ppid=1 pid=2336 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-otpd" exe="/usr/libexec/ipa-otpd" subj=system_u:system_r:ipa_otpd_t:s0 key=(null) type=AVC msg=audit(1391716026.984:424): avc: denied { getattr } for pid=2336 comm="ipa-otpd" path="/etc/resolv.conf" dev="vda1" ino=132344 scontext=system_u:system_r:ipa_otpd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=SYSCALL msg=audit(1391716026.984:424): arch=c000003e syscall=5 success=yes exit=0 a0=6 a1=7fff141c39d0 a2=7fff141c39d0 a3=0 items=0 ppid=1 pid=2336 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-otpd" exe="/usr/libexec/ipa-otpd" subj=system_u:system_r:ipa_otpd_t:s0 key=(null)
Nathaniel, For /dev/urandom we have allow domain urandom_device_t : chr_file { ioctl read getattr lock open } ; as part of the boolean 'global_ssp' Miroslav, For /etc/resolv.conf can we add something like sysnet_read_config(ipa_otpd_t)
commit ba7fff67029390cdbd9554348aa3a7d6b1839b57 Author: Miroslav Grepl <mgrepl> Date: Tue Feb 18 10:54:56 2014 +0100 Allow ipa-otpd to perform DNS name resolution
What needs to be done to allow read of /dev/urandom?
Add a local policy or wait for a new update which is coming today.
selinux-policy-3.12.1-126.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-126.fc20
I have tested all the code-paths with ipa-otpd and I have been unable to trigger any further AVCs. Thanks! We can close this when the policy gets pushed to updates.
Package selinux-policy-3.12.1-126.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-126.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-126.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-127.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.