Bug 970163 - SELinux policy for ipa-otpd
SELinux policy for ipa-otpd
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
20
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Simon Sekidde
Ben Levenson
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-03 11:02 EDT by Nathaniel McCallum
Modified: 2015-02-19 05:46 EST (History)
8 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-127.fc20
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-03-12 08:19:52 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
ipta-otpd initial policy (10.00 KB, application/x-tar)
2013-06-11 08:16 EDT, Miroslav Grepl
no flags Details

  None (edit)
Description Nathaniel McCallum 2013-06-03 11:02:56 EDT
FreeIPA grew a new daemon in Fedora 19 and needs SELinux policy generated for it. It is systemd socket activated and listens on /var/kerberos/krb5kdc/DEFAULT.socket. It also needs permissions to connect to the local FreeIPA server (/var/run/slapd-*.socket) and all local and remote RADIUS ports (typically udp 1812). Other than that it can be completely locked down.
Comment 1 Miroslav Grepl 2013-06-04 09:44:59 EDT
So it should a part of selinux-policy packages?
Comment 2 Simo Sorce 2013-06-04 09:50:33 EDT
We are evaluating handing over all the FreeIPA/IdM policies back to the base selinux-policy packages, so we can start with ipa-otpd maybe ?
Comment 3 Miroslav Grepl 2013-06-04 10:21:02 EDT
Ok, I will create an initial policy for testing.
Comment 4 Martin Kosek 2013-06-11 02:58:37 EDT
Hi guys, any change or update on this front?
Comment 5 Miroslav Grepl 2013-06-11 07:48:45 EDT
I am creating a test policy.
Comment 6 Miroslav Grepl 2013-06-11 08:16:05 EDT
Created attachment 759598 [details]
ipta-otpd initial policy

Could you please download/unpack the archive and run

# sh ipa.sh

re-test and

# ausearch -m avc -ts recent
Comment 7 Martin Kosek 2013-06-14 04:36:49 EDT
Nathaniel, any luck with the policy?
Comment 8 Nathaniel McCallum 2013-07-16 13:55:32 EDT
No, the policy does not work.

1. systemd creates /var/kerberos/krb5kdc/DEFAULT.socket. It is currently receiving the context krb5kdc_conf_t.

2. krb5kdc is running as context krb5kdc_t and needs to open (read/write) /var/kerberos/krb5kdc/DEFAULT.socket (and potentially all other sockets in this directory).

3. Once krb5kdc connects to /var/kerberos/krb5kdc/DEFAULT.socket, systemd starts ipa-otpd. ipa-otpd currently receives init_t.

4. ipa-otpd must be able to open /var/run/slapd-*.socket (currently dirsrv_var_run_t).

5. ipa-otpd must be able to open a RADIUS socket (usually udp 1812).

The following audit2allow makes everything work, but I suspect further constraint separation is desired:
allow krb5kdc_t init_t:unix_stream_socket connectto;
allow krb5kdc_t krb5kdc_conf_t:sock_file write;
Comment 9 Martin Kosek 2013-07-24 04:17:39 EDT
Hello Mirek, any other way we can help beyond Comment 8 to add support for ipa-otpd to the system policy?
Comment 10 Miroslav Grepl 2013-07-24 04:59:12 EDT
Ok, and how does the following output look

# ps -eZ |grep ipa

if you test it.

I am planning to add the policy to new freeipa.pp policy module.
Comment 11 Martin Kosek 2013-07-24 06:32:40 EDT
FreeIPA does not have any running "ipa" process, it is rather composed from a set of integrated processes.

This is what I get with selinux-policy-3.12.1-65.fc19.noarch:

# ps -eZ | egrep "(httpd|krb5kdc|otp|slap|ipa_memcache|tomcat|named|kadmin)" 
system_u:system_r:dirsrv_t:s0    1328 ?        00:02:17 ns-slapd
system_u:system_r:pki_tomcat_t:s0 13117 ?      00:05:38 java
system_u:system_r:kadmind_t:s0  13228 ?        00:00:00 kadmind
system_u:system_r:named_t:s0    13500 ?        00:00:11 named
system_u:system_r:httpd_t:s0    13523 ?        00:00:23 httpd
system_u:system_r:httpd_t:s0    13524 ?        00:00:00 nss_pcache
system_u:system_r:httpd_t:s0    29556 ?        00:00:13 httpd
system_u:system_r:httpd_t:s0    29557 ?        00:00:12 httpd
system_u:system_r:httpd_t:s0    29558 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0    29559 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0    29560 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0    29561 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0    29562 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0    32468 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0    32508 ?        00:00:00 httpd
system_u:system_r:krb5kdc_t:s0  32617 ?        00:00:00 krb5kdc
Comment 12 Miroslav Grepl 2013-07-24 07:46:37 EDT
I wanted to see ipa-otpd if possible. I know it is a socket activated but we need to be sure it runs as ipa_otpd_t instead of init_t.
Comment 13 Martin Kosek 2013-07-24 11:05:45 EDT
Ok. I will leave that Nathaniel, he is more fluent with ipa-otpd than I am.
Comment 14 Nathaniel McCallum 2013-07-24 11:16:45 EDT
Miroslav, do you want me to run that with or without the non-working policy provided in this bug?
Comment 15 Miroslav Grepl 2013-07-25 08:28:46 EDT
Just wanted to see the policy really works and we have the right labeling for the service.
Comment 16 Nathaniel McCallum 2013-11-12 08:45:02 EST
# ps -eZ | grep ipa
system_u:system_r:ipa_otpd_t:s0  2054 ?        00:00:00 ipa-otpd
Comment 17 Miroslav Grepl 2013-12-06 15:23:06 EST

*** This bug has been marked as a duplicate of bug 970169 ***
Comment 18 Nathaniel McCallum 2013-12-06 16:25:39 EST
These are not duplicates.

#970163 requests a new policy to constrain ipa-otpd.
#970169 requests a change to the existing krb5kdc policy.
Comment 19 Miroslav Grepl 2013-12-09 10:00:12 EST
Added to rawhide.

commit 49188774ae96b7b4744e5c1e44a35d576fb02480
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Dec 9 15:59:14 2013 +0100

    Add policy for ipa_otpd_t as a part of ipa.pp
Comment 20 Miroslav Grepl 2013-12-09 10:03:31 EST
/var/kerberos/krb5kdc/DEFAULT.socket

has it been moved to /run?
Comment 21 Nathaniel McCallum 2013-12-09 10:51:49 EST
No. Upstream does not wish to move it.
Comment 22 Daniel Walsh 2013-12-10 09:23:49 EST
Any reason why not?
Comment 23 Nathaniel McCallum 2013-12-10 11:47:52 EST
Because it is Linux specific. And then only modern Linux. And then not even all modern Linuxes. Due to the requirement of support for other UNIXes, MIT rejects most all OS specific patches. I discussed this with them via phone and they were strongly disinclined to accept such a patch.
Comment 24 Daniel Walsh 2013-12-11 16:31:08 EST
Is there a configuration that we can change on our own?  Or could we send a patch to them to add a configuration?
Comment 25 Nalin Dahyabhai 2013-12-11 16:57:06 EST
The path to the RADIUS server's local socket (and if it's even a local socket) is indeed configurable in krb5.conf.

If the location isn't explicitly configured, the location is computed using the format string "/var/kerberos/krb5kdc/%s.socket" and the label that's being used to represent the server ("DEFAULT" by default), and that's where ipa-otpd's configuration defaults to telling systemd to put the socket.

The directory part of that's derived from the localstatedir that's set at configure-time when the package is being built, though, so I'd suggest that the policy handle the label for the socket like it does for KDC configuration, realm databases, and locks -- as though they could show up in multiple locations.
Comment 26 Nathaniel McCallum 2013-12-17 09:08:34 EST
+1, the sockets could show up in multiple locations.

However, all the stuff related to krb5kdc policy needs to go in bug 970169.

I will confirm that the ipa-otpd policy is working and then this bug can be closed.
Comment 27 Nathaniel McCallum 2013-12-20 13:37:19 EST
ipa-otpd is currently running under system_u:system_r:ipa_otpd_t:s0 in rawhide. I'm able to connect to pretty much anywhere from the daemon with ldap/RADIUS.

Miroslav, is ipa_otpd_t otherwise constrained? If yes, then I think we are done with this bug. Where is the commit diff for this change?
Comment 28 Miroslav Grepl 2014-01-06 15:36:53 EST
If it works in rawhide then we can back port it to F20/RHEL7.
Comment 29 Miroslav Grepl 2014-01-07 11:58:21 EST
commit a66cf1bff68035c7a9b11fe3801c00c0cafce6bc
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue Jan 7 17:56:36 2014 +0100

    backport ipa policy files
Comment 30 Fedora Update System 2014-01-13 17:54:15 EST
selinux-policy-3.12.1-116.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-116.fc20
Comment 31 Fedora Update System 2014-01-15 00:55:52 EST
Package selinux-policy-3.12.1-116.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-116.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-0806/selinux-policy-3.12.1-116.fc20
then log in and leave karma (feedback).
Comment 32 Fedora Update System 2014-01-16 02:08:24 EST
selinux-policy-3.12.1-116.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 33 Nathaniel McCallum 2014-02-07 11:09:32 EST
So it appears that the new ipa-otpd policy has also caused new problems. Namely: /dev/urandom and /etc/resolv.conf.

type=AVC msg=audit(1391716026.982:421): avc:  denied  { read } for  pid=2336 comm="ipa-otpd" name="urandom" dev="devtmpfs" ino=5023 scontext=system_u:system_r:ipa_otpd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file

type=AVC msg=audit(1391716026.982:421): avc:  denied  { open } for  pid=2336 comm="ipa-otpd" path="/dev/urandom" dev="devtmpfs" ino=5023 scontext=system_u:system_r:ipa_otpd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file

type=SYSCALL msg=audit(1391716026.982:421): arch=c000003e syscall=2 success=yes exit=3 a0=7f71d5e9d744 a1=0 a2=40 a3=7fff141c5c10 items=0 ppid=1 pid=2336 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-otpd" exe="/usr/libexec/ipa-otpd" subj=system_u:system_r:ipa_otpd_t:s0 key=(null)

type=AVC msg=audit(1391716026.983:422): avc:  denied  { getattr } for  pid=2336 comm="ipa-otpd" path="/dev/urandom" dev="devtmpfs" ino=5023 scontext=system_u:system_r:ipa_otpd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file

type=SYSCALL msg=audit(1391716026.983:422): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff141c5e50 a2=7fff141c5e50 a3=7fff141c5c10 items=0 ppid=1 pid=2336 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-otpd" exe="/usr/libexec/ipa-otpd" subj=system_u:system_r:ipa_otpd_t:s0 key=(null)

type=AVC msg=audit(1391716026.984:423): avc:  denied  { read } for  pid=2336 comm="ipa-otpd" name="resolv.conf" dev="vda1" ino=132344 scontext=system_u:system_r:ipa_otpd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file

type=AVC msg=audit(1391716026.984:423): avc:  denied  { open } for  pid=2336 comm="ipa-otpd" path="/etc/resolv.conf" dev="vda1" ino=132344 scontext=system_u:system_r:ipa_otpd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file

type=SYSCALL msg=audit(1391716026.984:423): arch=c000003e syscall=2 success=yes exit=6 a0=7f71d7a9f41a a1=80000 a2=1b6 a3=7fff141c5b00 items=0 ppid=1 pid=2336 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-otpd" exe="/usr/libexec/ipa-otpd" subj=system_u:system_r:ipa_otpd_t:s0 key=(null)

type=AVC msg=audit(1391716026.984:424): avc:  denied  { getattr } for  pid=2336 comm="ipa-otpd" path="/etc/resolv.conf" dev="vda1" ino=132344 scontext=system_u:system_r:ipa_otpd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file

type=SYSCALL msg=audit(1391716026.984:424): arch=c000003e syscall=5 success=yes exit=0 a0=6 a1=7fff141c39d0 a2=7fff141c39d0 a3=0 items=0 ppid=1 pid=2336 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-otpd" exe="/usr/libexec/ipa-otpd" subj=system_u:system_r:ipa_otpd_t:s0 key=(null)
Comment 34 Simon Sekidde 2014-02-17 18:33:15 EST
Nathaniel, 

For /dev/urandom we have 

 allow domain urandom_device_t : chr_file { ioctl read getattr lock open } ; 

as part of the boolean 'global_ssp'

Miroslav, 

For /etc/resolv.conf can we add something like 

sysnet_read_config(ipa_otpd_t)
Comment 35 Miroslav Grepl 2014-02-18 04:55:12 EST
commit ba7fff67029390cdbd9554348aa3a7d6b1839b57
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue Feb 18 10:54:56 2014 +0100

    Allow ipa-otpd to perform DNS name resolution
Comment 36 Nathaniel McCallum 2014-02-18 08:29:22 EST
What needs to be done to allow read of /dev/urandom?
Comment 37 Miroslav Grepl 2014-02-18 08:32:38 EST
Add a local policy or wait for a new update which is coming today.
Comment 38 Fedora Update System 2014-02-18 17:10:44 EST
selinux-policy-3.12.1-126.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-126.fc20
Comment 39 Nathaniel McCallum 2014-02-20 09:23:09 EST
I have tested all the code-paths with ipa-otpd and I have been unable to trigger any further AVCs. Thanks! We can close this when the policy gets pushed to updates.
Comment 40 Fedora Update System 2014-02-21 19:42:56 EST
Package selinux-policy-3.12.1-126.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-126.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-126.fc20
then log in and leave karma (feedback).
Comment 41 Fedora Update System 2014-03-12 08:19:52 EDT
selinux-policy-3.12.1-127.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.